amadey | 2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c

Resubmissions

01-07-2024 10:57

240701-m2gvna1bmr 10

27-06-2024 14:07

240627-re4s5axbqm 10

26-06-2024 21:27

240626-1awrdsvdkd 10

Analysis

max time kernel
103s
max time network
135s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Size

1.9MB
MD5

f7b7a8eb191d45b9cf730d6fe78d36e1
SHA1

0b7a7220d686c904b0ea89b6e036fb21acf0f85b
SHA256

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c
SHA512

b282e77a5855c5b302139740dfc870eec9a358669b84a8a35ccbef6abc40c4182fb34cf24d17bd5012173e71b8d7c7ddecc834248a470e7e9cffc3cdd19a4b36
SSDEEP

49152:0YUvB6P4Zu2Zrq9Lp8lt+YPawAYsOWgu30w:KwPpN0tviwAY+g0n

Score

10^/10

amadey monster redline xmrig 06-25-24 123 e76b71 discovery evasion execution infostealer miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

123

185.215.113.67:40960

Extracted

Family

redline

Botnet

06-25-24

85.28.47.7:17210

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Monster Stealer. 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\onefile_2324_133639709137694000\stub.exe	family_monster
behavioral1/memory/2880-788-0x000000013F330000-0x000000014056E000-memory.dmp	family_monster

Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe	family_redline
behavioral1/memory/2060-393-0x0000000000ED0000-0x0000000000F20000-memory.dmp	family_redline
behavioral1/memory/1572-642-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral1/memory/1572-645-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral1/memory/1572-644-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

XMRig Miner payload 15 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2876-692-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2876-694-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2876-695-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2876-691-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2876-698-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2876-699-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2876-697-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2876-700-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2444-783-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2444-787-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2444-786-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2444-785-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2444-784-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2444-824-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2444-825-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2248 powershell.exe
820 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
2248	powershell.exe
820	powershell.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 20 IoCs

Processes:

axplong.exegold.exeNewLatest.exeHkbsse.exe1.exeFirstZ.exeldr.exeHkbsse.exealex5555555.exe123.exestl.exerig.exestl.exestreamer.exeTpWWMUpe0LEV.exewfbrmcwrltkl.exebuild.exestub.exereakuqnanrkn.exe

pid	process
2524	axplong.exe
556	gold.exe
1748	NewLatest.exe
2052	Hkbsse.exe
2088	1.exe
428	FirstZ.exe
1860	ldr.exe
2240	Hkbsse.exe
2428	alex5555555.exe
2060	123.exe
2140	stl.exe
2892	rig.exe
1572	stl.exe
2976	streamer.exe
1772	TpWWMUpe0LEV.exe
460
1984	wfbrmcwrltkl.exe
2324	build.exe
2880	stub.exe
1860	reakuqnanrkn.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Wine	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Wine	axplong.exe

Loads dropped DLL 34 IoCs

Processes:

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeaxplong.exeWerFault.exeNewLatest.exeHkbsse.exeldr.exeWerFault.exeHkbsse.exestl.exeTpWWMUpe0LEV.exebuild.exestub.exe

pid	process
2392	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
2524	axplong.exe
2524	axplong.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
2524	axplong.exe
1748	NewLatest.exe
2052	Hkbsse.exe
2052	Hkbsse.exe
2052	Hkbsse.exe
2052	Hkbsse.exe
2524	axplong.exe
1860	ldr.exe
2524	axplong.exe
2524	axplong.exe
1704	WerFault.exe
1704	WerFault.exe
1704	WerFault.exe
2524	axplong.exe
2240	Hkbsse.exe
2240	Hkbsse.exe
2140	stl.exe
2240	Hkbsse.exe
2240	Hkbsse.exe
2524	axplong.exe
2524	axplong.exe
1772	TpWWMUpe0LEV.exe
460
2524	axplong.exe
2324	build.exe
2880	stub.exe
460
460

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2876-692-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2876-694-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2876-695-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2876-691-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2876-690-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2876-689-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2876-688-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2876-687-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2876-686-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2876-698-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2876-699-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2876-697-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2876-700-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-783-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-787-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-786-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-785-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-784-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-824-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2444-825-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

31 bitbucket.org
32 bitbucket.org
55 pastebin.com
56 pastebin.com

flow	ioc
31	bitbucket.org
32	bitbucket.org
55	pastebin.com
56	pastebin.com

Power Settings 1 TTPs 16 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	process
2280	powercfg.exe
1520	powercfg.exe
2060	powercfg.exe
1848	powercfg.exe
1012	powercfg.exe
1592	powercfg.exe
2812	powercfg.exe
2356	powercfg.exe
2272	powercfg.exe
1524	powercfg.exe
1144	powercfg.exe
760	powercfg.exe
1924	powercfg.exe
1860	powercfg.exe
2040	powercfg.exe
2352	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

FirstZ.exepowershell.exereakuqnanrkn.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeaxplong.exe

pid process

2392 2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
2524 axplong.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

stl.exewfbrmcwrltkl.exereakuqnanrkn.exe

description	pid	process	target process
PID 2140 set thread context of 1572	2140	stl.exe	stl.exe
PID 1984 set thread context of 2876	1984	wfbrmcwrltkl.exe	explorer.exe
PID 1860 set thread context of 1548	1860	reakuqnanrkn.exe	conhost.exe
PID 1860 set thread context of 2444	1860	reakuqnanrkn.exe	explorer.exe

Drops file in Windows directory 5 IoCs

Processes:

ldr.exewusa.exewusa.exe2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeNewLatest.exe

description	ioc	process
File created	C:\Windows\Tasks\Hkbsse.job	ldr.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\Tasks\axplong.job	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe

Launches sc.exe 18 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2264 sc.exe
1960 sc.exe
2580 sc.exe
2672 sc.exe
2616 sc.exe
1124 sc.exe
2360 sc.exe
2688 sc.exe
1124 sc.exe
2096 sc.exe
2088 sc.exe
1972 sc.exe
2488 sc.exe
2236 sc.exe
1496 sc.exe
2264 sc.exe
928 sc.exe
2024 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

568 556 WerFault.exe gold.exe
1704 2428 WerFault.exe alex5555555.exe

pid	process
2264	sc.exe
1960	sc.exe
2580	sc.exe
2672	sc.exe
2616	sc.exe
1124	sc.exe
2360	sc.exe
2688	sc.exe
1124	sc.exe
2096	sc.exe
2088	sc.exe
1972	sc.exe
2488	sc.exe
2236	sc.exe
1496	sc.exe
2264	sc.exe
928	sc.exe
2024	sc.exe

pid	pid_target	process	target process
568	556	WerFault.exe	gold.exe
1704	2428	WerFault.exe	alex5555555.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

powershell.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 50a587839bc8da01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings	rundll32.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

axplong.exeHkbsse.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Hkbsse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	axplong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	axplong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Hkbsse.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	axplong.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeaxplong.exe123.exestl.exerig.exewfbrmcwrltkl.exeFirstZ.exepowershell.exereakuqnanrkn.exepowershell.exeexplorer.exe

pid	process
2392	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
2524	axplong.exe
2060	123.exe
1572	stl.exe
2892	rig.exe
2892	rig.exe
2892	rig.exe
2892	rig.exe
2892	rig.exe
2892	rig.exe
2892	rig.exe
2892	rig.exe
1984	wfbrmcwrltkl.exe
1984	wfbrmcwrltkl.exe
1984	wfbrmcwrltkl.exe
1984	wfbrmcwrltkl.exe
1984	wfbrmcwrltkl.exe
428	FirstZ.exe
2248	powershell.exe
428	FirstZ.exe
428	FirstZ.exe
428	FirstZ.exe
428	FirstZ.exe
428	FirstZ.exe
428	FirstZ.exe
428	FirstZ.exe
428	FirstZ.exe
428	FirstZ.exe
428	FirstZ.exe
428	FirstZ.exe
428	FirstZ.exe
428	FirstZ.exe
428	FirstZ.exe
1860	reakuqnanrkn.exe
820	powershell.exe
1860	reakuqnanrkn.exe
1860	reakuqnanrkn.exe
1860	reakuqnanrkn.exe
1860	reakuqnanrkn.exe
1860	reakuqnanrkn.exe
1860	reakuqnanrkn.exe
1860	reakuqnanrkn.exe
1860	reakuqnanrkn.exe
1860	reakuqnanrkn.exe
1860	reakuqnanrkn.exe
1860	reakuqnanrkn.exe
1860	reakuqnanrkn.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe
2444	explorer.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

460
460

pid	process
460
460

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

stl.exe123.exestl.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2140	stl.exe
Token: SeDebugPrivilege	2060	123.exe
Token: SeDebugPrivilege	1572	stl.exe
Token: SeShutdownPrivilege	2272	powercfg.exe
Token: SeShutdownPrivilege	760	powercfg.exe
Token: SeShutdownPrivilege	1144	powercfg.exe
Token: SeShutdownPrivilege	2040	powercfg.exe
Token: SeShutdownPrivilege	1524	powercfg.exe
Token: SeShutdownPrivilege	1924	powercfg.exe
Token: SeShutdownPrivilege	1860	powercfg.exe
Token: SeShutdownPrivilege	2352	powercfg.exe
Token: SeLockMemoryPrivilege	2876	explorer.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeShutdownPrivilege	1592	powercfg.exe
Token: SeShutdownPrivilege	1012	powercfg.exe
Token: SeShutdownPrivilege	2280	powercfg.exe
Token: SeShutdownPrivilege	1848	powercfg.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeShutdownPrivilege	1520	powercfg.exe
Token: SeShutdownPrivilege	2060	powercfg.exe
Token: SeShutdownPrivilege	2812	powercfg.exe
Token: SeShutdownPrivilege	2356	powercfg.exe
Token: SeLockMemoryPrivilege	2444	explorer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeNewLatest.exeldr.exe

pid process

2392 2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
1748 NewLatest.exe
1860 ldr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeaxplong.exegold.exeNewLatest.exeHkbsse.exeldr.exealex5555555.exeHkbsse.exestl.exe

description	pid	process	target process
PID 2392 wrote to memory of 2524	2392	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe	axplong.exe
PID 2392 wrote to memory of 2524	2392	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe	axplong.exe
PID 2392 wrote to memory of 2524	2392	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe	axplong.exe
PID 2392 wrote to memory of 2524	2392	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe	axplong.exe
PID 2524 wrote to memory of 556	2524	axplong.exe	gold.exe
PID 2524 wrote to memory of 556	2524	axplong.exe	gold.exe
PID 2524 wrote to memory of 556	2524	axplong.exe	gold.exe
PID 2524 wrote to memory of 556	2524	axplong.exe	gold.exe
PID 556 wrote to memory of 568	556	gold.exe	WerFault.exe
PID 556 wrote to memory of 568	556	gold.exe	WerFault.exe
PID 556 wrote to memory of 568	556	gold.exe	WerFault.exe
PID 556 wrote to memory of 568	556	gold.exe	WerFault.exe
PID 2524 wrote to memory of 1748	2524	axplong.exe	NewLatest.exe
PID 2524 wrote to memory of 1748	2524	axplong.exe	NewLatest.exe
PID 2524 wrote to memory of 1748	2524	axplong.exe	NewLatest.exe
PID 2524 wrote to memory of 1748	2524	axplong.exe	NewLatest.exe
PID 1748 wrote to memory of 2052	1748	NewLatest.exe	Hkbsse.exe
PID 1748 wrote to memory of 2052	1748	NewLatest.exe	Hkbsse.exe
PID 1748 wrote to memory of 2052	1748	NewLatest.exe	Hkbsse.exe
PID 1748 wrote to memory of 2052	1748	NewLatest.exe	Hkbsse.exe
PID 2052 wrote to memory of 2088	2052	Hkbsse.exe	1.exe
PID 2052 wrote to memory of 2088	2052	Hkbsse.exe	1.exe
PID 2052 wrote to memory of 2088	2052	Hkbsse.exe	1.exe
PID 2052 wrote to memory of 2088	2052	Hkbsse.exe	1.exe
PID 2052 wrote to memory of 428	2052	Hkbsse.exe	FirstZ.exe
PID 2052 wrote to memory of 428	2052	Hkbsse.exe	FirstZ.exe
PID 2052 wrote to memory of 428	2052	Hkbsse.exe	FirstZ.exe
PID 2052 wrote to memory of 428	2052	Hkbsse.exe	FirstZ.exe
PID 2524 wrote to memory of 1860	2524	axplong.exe	ldr.exe
PID 2524 wrote to memory of 1860	2524	axplong.exe	ldr.exe
PID 2524 wrote to memory of 1860	2524	axplong.exe	ldr.exe
PID 2524 wrote to memory of 1860	2524	axplong.exe	ldr.exe
PID 1860 wrote to memory of 2240	1860	ldr.exe	Hkbsse.exe
PID 1860 wrote to memory of 2240	1860	ldr.exe	Hkbsse.exe
PID 1860 wrote to memory of 2240	1860	ldr.exe	Hkbsse.exe
PID 1860 wrote to memory of 2240	1860	ldr.exe	Hkbsse.exe
PID 2524 wrote to memory of 2428	2524	axplong.exe	alex5555555.exe
PID 2524 wrote to memory of 2428	2524	axplong.exe	alex5555555.exe
PID 2524 wrote to memory of 2428	2524	axplong.exe	alex5555555.exe
PID 2524 wrote to memory of 2428	2524	axplong.exe	alex5555555.exe
PID 2428 wrote to memory of 1704	2428	alex5555555.exe	WerFault.exe
PID 2428 wrote to memory of 1704	2428	alex5555555.exe	WerFault.exe
PID 2428 wrote to memory of 1704	2428	alex5555555.exe	WerFault.exe
PID 2428 wrote to memory of 1704	2428	alex5555555.exe	WerFault.exe
PID 2524 wrote to memory of 2060	2524	axplong.exe	123.exe
PID 2524 wrote to memory of 2060	2524	axplong.exe	123.exe
PID 2524 wrote to memory of 2060	2524	axplong.exe	123.exe
PID 2524 wrote to memory of 2060	2524	axplong.exe	123.exe
PID 2240 wrote to memory of 2140	2240	Hkbsse.exe	stl.exe
PID 2240 wrote to memory of 2140	2240	Hkbsse.exe	stl.exe
PID 2240 wrote to memory of 2140	2240	Hkbsse.exe	stl.exe
PID 2240 wrote to memory of 2140	2240	Hkbsse.exe	stl.exe
PID 2140 wrote to memory of 1572	2140	stl.exe	stl.exe
PID 2140 wrote to memory of 1572	2140	stl.exe	stl.exe
PID 2140 wrote to memory of 1572	2140	stl.exe	stl.exe
PID 2140 wrote to memory of 1572	2140	stl.exe	stl.exe
PID 2240 wrote to memory of 2892	2240	Hkbsse.exe	rig.exe
PID 2240 wrote to memory of 2892	2240	Hkbsse.exe	rig.exe
PID 2240 wrote to memory of 2892	2240	Hkbsse.exe	rig.exe
PID 2240 wrote to memory of 2892	2240	Hkbsse.exe	rig.exe
PID 2140 wrote to memory of 1572	2140	stl.exe	stl.exe
PID 2140 wrote to memory of 1572	2140	stl.exe	stl.exe
PID 2140 wrote to memory of 1572	2140	stl.exe	stl.exe
PID 2140 wrote to memory of 1572	2140	stl.exe	stl.exe

C:\Users\Admin\AppData\Local\Temp\2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
"C:\Users\Admin\AppData\Local\Temp\2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 108
4⤵
- Loads dropped DLL
- Program crash
PID:568

C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2052

C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe"
5⤵
- Executes dropped EXE
PID:2088

C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:428

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:1736

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
7⤵
- Drops file in Windows directory
PID:1428

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
6⤵
- Launches sc.exe
PID:928

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:2360

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
6⤵
- Launches sc.exe
PID:2488

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
6⤵
- Launches sc.exe
PID:2024

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
6⤵
- Launches sc.exe
PID:2688

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
6⤵
- Launches sc.exe
PID:2264

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
6⤵
- Launches sc.exe
PID:1124

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:2096

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
6⤵
- Launches sc.exe
PID:1960

C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exe
"C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe
C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Users\Admin\AppData\Local\Temp\1000013001\rig.exe
"C:\Users\Admin\AppData\Local\Temp\1000013001\rig.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "xjuumoinznsp"
6⤵
- Launches sc.exe
PID:2088

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "xjuumoinznsp" binpath= "C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe" start= "auto"
6⤵
- Launches sc.exe
PID:2264

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:1124

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "xjuumoinznsp"
6⤵
- Launches sc.exe
PID:1972

C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exe
"C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 108
4⤵
- Loads dropped DLL
- Program crash
PID:1704

C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe
"C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
"C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe"
3⤵
- Executes dropped EXE
PID:2976

C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
"C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772

C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe
"C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324

C:\Users\Admin\AppData\Local\Temp\onefile_2324_133639709137694000\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2060

C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1984

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:3008

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:912

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:2580

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2236

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:2672

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:1496

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:2616

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1548

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\WriteSkip.au"
1⤵
PID:824

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SubmitUninstall.vssm
1⤵
- Modifies registry class
PID:1428

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\StepExpand.vssm
1⤵
PID:2168

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
PID:1152

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ResetSuspend.docx"
1⤵
PID:2828

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ResetSuspend.docx"
1⤵
PID:2092

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RestoreConvertFrom.001
1⤵
PID:1144

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RestoreConvertFrom.001
1⤵
PID:1012

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RestoreConvertFrom.001
1⤵
PID:2016

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SendOut.mpg"
1⤵
PID:1040

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SendOut.mpg"
1⤵
PID:2012

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SplitSkip.vstx
1⤵
PID:1496

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SplitSkip.vstx
1⤵
PID:2616

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ReadGrant.vbs"
1⤵
PID:2036

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ReadGrant.vbs"
1⤵
PID:2392

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\HideRegister.mpeg"
1⤵
PID:912

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\HideRegister.mpeg"
1⤵
PID:1800

C:\Windows\System32\xpsrchvw.exe
"C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\AddDebug.xps"
1⤵
PID:3064

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
PID:2956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
70a026e872345cdd86add9e4a1eeedc5

SHA1
5c61d1588fa002edd9994493feff27803faf1a8a

SHA256
bec6425db4269cc1eaba6ef799a31c8ee8f0179dc36211e5f310c8c5da77fc42

SHA512
6a149ce76752c0e7e0a3cbfd6eb4dd404f3f6fb6eed172b26724a550f22eb25830b90e3e4365a76fd5580269db53f094f68e1c38538f9e42ef951807bcc3e9e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
21780c7e877fc2ce25dd435057d32e66

SHA1
99019922619159e6aa2f62dedbeb02b16b3d2bd9

SHA256
7a41aee6ad370b5aa7b49d0c62b464267268d53f2d548fddee7decdaa76cff54

SHA512
a084228b915cb62dccd5fbb4a0e93f93716e776c479b18e5c0c7daf3c5d0afdc5475c40bebbcba3c8f2393011e786767f8fc823e1cd163dcfc643e5d01e24d9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b10982624920562da273b440e4a05ffc

SHA1
17ec3149ee2c3ea9c8d5946b747327573f11e218

SHA256
538049938ac43341012c0b5b21b915259acd1fe096604325c425da68fe638edd

SHA512
e287011b60084c7eb76059d1921874df37a1b9b8927f60c1eb40745987f3c4dfbe557486afb5eda8ef296d9d9fbf7b86b9b7c8c360093e85b7a1ef5895905aee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
73cc87fa48f60eef72337c065dacb77d

SHA1
ef6af4f9a9aa032e81d8f66da8ae5c9ae69d0ac7

SHA256
7d6f31310ac88861a935ad954449e67c0e5959baabdf6969c8277febcd86715d

SHA512
52fc106430b8ba641be9f6136fc0c4d22e47b8ee5981debd72c5bcb9764d68a3ec2d802df19f40f7eb058a01eba97449da5a4c9a5d629024d818e5f5a27aecae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\stl.exe
Filesize
511KB

MD5
2d92c64d986c4640e4cb5bc41cb38821

SHA1
bfc8e36ac6e2e8e6d44cfbc421307bbd58036dd5

SHA256
31dd0e69fb3a0a0999aa228d766e36033bbf1e482bdb93912705850badfba7b0

SHA512
4975350e13824fe78e937fe9cf84f86d6de502e588cf219ba2d73a171b74af4382b6b134033cc4cb590a6068299422834192bc52613161d2ee362b6464caa962

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013001\rig.exe
Filesize
2.5MB

MD5
4691a9fe21f8589b793ea16f0d1749f1

SHA1
5c297f97142b7dad1c2d0c6223346bf7bcf2ea82

SHA256
63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904

SHA512
ee27d5912e2fb4b045ffd39689162ab2668a79615b2b641a17b6b03c4273070a711f9f29dd847ffff5ae437d9df6102df6e10e898c36d44ec25e64ba1dd83386

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe
Filesize
317KB

MD5
e1b59d2805b38262b9967bce3e719dbf

SHA1
4081416cfaa76941981c34518d45b60e8d4b2013

SHA256
d5bba713d11ebbb7a91be59dae0f2d4b818897fe756b854dfe40babe7664c173

SHA512
bcea30a8f2a10aed0e2c97133734a34a850c18ee9447966ed8cdae8bbf72b98ebd2703a7cadf53b8991ef5eb3047d871242e990a4b7baf00eda8ca5f5f7dda35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe
Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
Filesize
493KB

MD5
92c01627961859a84ffa633327c5d7f9

SHA1
5b406c39f81f67e2b2e263137c7059718e4af007

SHA256
92373c134cbf9fc4a98ed7c80f244c8655b3852d3a1f1983fc4a7b3a00bf1370

SHA512
f31f9d45d7783441866faa0e684412040dd74c2878adfc6e5a874626e291b3e3cae7746cb62e2388d4183e615d9b919178fa409f2e12b3d0cf478c59450d3439

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exe
Filesize
415KB

MD5
c4aeaafc0507785736e000ff7e823f5e

SHA1
b1acdee835f02856985a822fe99921b097ed1519

SHA256
b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5

SHA512
fbaefbce3232481490bce7b859c6c1bafd87ee6d952a2be9bf7c4ed25fe8fc9aff46c2246e247aa05ce8e405831a5905ca366c5333ede0af48f9a6287479a12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exe
Filesize
1.7MB

MD5
a80a86c701801cbd77cf7406be6d11f0

SHA1
ef98a953fae4506e0402de15c1f1d9f0bfb47b01

SHA256
2f25790b3368b6afd35007dfe873e90a288cfce9d19758756b71fa6952a675f2

SHA512
7e1216bda5c36efcc4146c410cb5717e0e9e8257c25cef2239d631fa6fb15ec953b5155b6c4b4f4f3ff661425d1b6e5b716c21711fc7ddd423e6fc009e363d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe
Filesize
297KB

MD5
cd581d68ed550455444ee6e099c44266

SHA1
f131d587578336651fd3e325b82b6c185a4b6429

SHA256
a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505

SHA512
33f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
Filesize
8.4MB

MD5
e75b157e639b54dbd603da6f5274ae7a

SHA1
42bf3073fc63234d2c3f5c937e7ddbd069e8ed4a

SHA256
a0a8fe7208a6065d64ae9c463d64498d1808279d3aa788fa98871bc4d33466cc

SHA512
68683e9a55662322fb5eb266dcff16f26ad2923ba4fe21892d552d2f2409e3aaa86cc6d91f8d26cefbb8f98f99e19d0f5340be3094449bfa7fcd56435692cd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
Filesize
1.2MB

MD5
242214131486132e33ceda794d66ca1f

SHA1
4ce34fd91f5c9e35b8694007b286635663ef9bf2

SHA256
bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361

SHA512
031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe
Filesize
10.7MB

MD5
6b1eb54b0153066ddbe5595a58e40536

SHA1
adf81c3104e5d62853fa82c2bd9b0a5becb4589a

SHA256
d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8

SHA512
104faaa4085c9173274d4e0e468eaf75fb22c4cfe38226e4594e6aa0a1dcb148bde7e5e0756b664f14b680872d2476340ebd69fac883d8e99b20acfb5f5dbf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab787C.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar78BE.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2324_133639709137694000\python310.dll
Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2324_133639709137694000\stub.exe
Filesize
18.0MB

MD5
f0587004f479243c18d0ccff0665d7f6

SHA1
b3014badadfffdd6be2931a77a9df4673750fee7

SHA256
8ce148c264ce50e64ab866e34759de81b816a3f54b21c3426513bed3f239649a

SHA512
6dedaa729ee93520907ce46054f0573fb887ac0890bea9d1d22382e9d05f8c14a8c151fe2061a0ec1dae791b13752e0fbc00ccc85838caa7524edba35d469434

Download Submit
C:\Windows\Tasks\Hkbsse.job
Filesize
266B

MD5
865ce951a7a87a5caca0d725aa3b8aec

SHA1
55b09ca8b899f3ae8006a13d94accaf65be20139

SHA256
c84620d16aec95f1e3639ada312ffce05e75ace61d879d152048671bdd271a09

SHA512
d47fbd367f2907ed2d9783005356c5846dc28ac8a94da150b35aafc71673511773ac707cce7c059848a87d522e7c3b5d488727e4c37cda7b11adabad7bd735c5

Download Submit
\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.9MB

MD5
f7b7a8eb191d45b9cf730d6fe78d36e1

SHA1
0b7a7220d686c904b0ea89b6e036fb21acf0f85b

SHA256
2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c

SHA512
b282e77a5855c5b302139740dfc870eec9a358669b84a8a35ccbef6abc40c4182fb34cf24d17bd5012173e71b8d7c7ddecc834248a470e7e9cffc3cdd19a4b36

Download Submit
\Users\Admin\AppData\Roaming\d3d9.dll
Filesize
279KB

MD5
8fa26f1e37d3ff7f736fc93d520bc8ab

SHA1
ad532e1cb4a1b3cd82c7a85647f8f6dd99833bb1

SHA256
6c47da8fbd12f22d7272fbf223e054bf5093c0922d0e8fb7d6289a5913c2e45d

SHA512
8a0b53cbc3a20e2f0fd41c486b1af1fbbcf7f2fed9f7368b672a07f25faaa2568bbdbcf0841233ac8c473a4d1dee099e90bf6098a6fa15e44b8526efdafc1287

Download Submit
memory/820-762-0x0000000019970000-0x0000000019C52000-memory.dmp

Filesize
2.9MB

Download
memory/820-763-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/1040-836-0x000007FEF54F0000-0x000007FEF57A6000-memory.dmp

Filesize
2.7MB

Download
memory/1040-835-0x000007FEF57B0000-0x000007FEF57E4000-memory.dmp

Filesize
208KB

Download
memory/1040-828-0x000000013FA40000-0x000000013FB38000-memory.dmp

Filesize
992KB

Download
memory/1548-767-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1548-768-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1548-764-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1548-765-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1548-766-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1548-782-0x00000000FF890000-0x00000000FF8E7000-memory.dmp

Filesize
348KB

Download
memory/1548-771-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1572-644-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1572-642-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1572-645-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1772-675-0x00000000002E0000-0x0000000000412000-memory.dmp

Filesize
1.2MB

Download
memory/2012-832-0x000007FEF7F30000-0x000007FEF7F48000-memory.dmp

Filesize
96KB

Download
memory/2012-834-0x000007FEF6960000-0x000007FEF6971000-memory.dmp

Filesize
68KB

Download
memory/2012-833-0x000007FEF6B10000-0x000007FEF6B27000-memory.dmp

Filesize
92KB

Download
memory/2012-831-0x000007FEF54F0000-0x000007FEF57A6000-memory.dmp

Filesize
2.7MB

Download
memory/2012-830-0x000007FEF57B0000-0x000007FEF57E4000-memory.dmp

Filesize
208KB

Download
memory/2012-829-0x000000013FA40000-0x000000013FB38000-memory.dmp

Filesize
992KB

Download
memory/2060-393-0x0000000000ED0000-0x0000000000F20000-memory.dmp

Filesize
320KB

Download
memory/2088-332-0x0000000000400000-0x000000000236B000-memory.dmp

Filesize
31.4MB

Download
memory/2140-412-0x00000000008D0000-0x0000000000956000-memory.dmp

Filesize
536KB

Download
memory/2248-742-0x000000001AFF0000-0x000000001B2D2000-memory.dmp

Filesize
2.9MB

Download
memory/2248-751-0x0000000002430000-0x0000000002438000-memory.dmp

Filesize
32KB

Download
memory/2324-823-0x000000013F4D0000-0x000000013FFA8000-memory.dmp

Filesize
10.8MB

Download
memory/2324-773-0x000000013F4D0000-0x000000013FFA8000-memory.dmp

Filesize
10.8MB

Download
memory/2392-3-0x0000000001350000-0x0000000001821000-memory.dmp

Filesize
4.8MB

Download
memory/2392-5-0x0000000001350000-0x0000000001821000-memory.dmp

Filesize
4.8MB

Download
memory/2392-18-0x0000000001350000-0x0000000001821000-memory.dmp

Filesize
4.8MB

Download
memory/2392-1-0x0000000077AB0000-0x0000000077AB2000-memory.dmp

Filesize
8KB

Download
memory/2392-8-0x0000000001350000-0x0000000001821000-memory.dmp

Filesize
4.8MB

Download
memory/2392-6-0x0000000001350000-0x0000000001821000-memory.dmp

Filesize
4.8MB

Download
memory/2392-4-0x0000000001350000-0x0000000001821000-memory.dmp

Filesize
4.8MB

Download
memory/2392-0-0x0000000001350000-0x0000000001821000-memory.dmp

Filesize
4.8MB

Download
memory/2392-2-0x0000000001351000-0x000000000137F000-memory.dmp

Filesize
184KB

Download
memory/2444-824-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-783-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-786-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-825-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-787-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-784-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2444-785-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2524-20-0x0000000000851000-0x000000000087F000-memory.dmp

Filesize
184KB

Download
memory/2524-706-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-358-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-252-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-253-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-394-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-243-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-242-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-772-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-342-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-241-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-174-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-23-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-827-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-826-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-696-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-646-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-21-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2524-19-0x0000000000850000-0x0000000000D21000-memory.dmp

Filesize
4.8MB

Download
memory/2876-687-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2876-690-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2876-700-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2876-692-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2876-694-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2876-695-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2876-691-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2876-697-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2876-689-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2876-688-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2876-686-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2876-693-0x0000000000200000-0x0000000000220000-memory.dmp

Filesize
128KB

Download
memory/2876-698-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2876-699-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2880-788-0x000000013F330000-0x000000014056E000-memory.dmp

Filesize
18.2MB

Download
memory/2976-659-0x000000013F220000-0x000000013FB27000-memory.dmp

Filesize
9.0MB

Download