Analysis Overview
SHA256
5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4
Threat Level: Known bad
The file 5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.bin was found to be: Known bad.
Malicious Activity Summary
StormKitty
Detects Redline Stealer samples
RedLine
Modifies Windows Defender Real-time Protection settings
Amadey
AsyncRat
StormKitty payload
Async RAT payload
Downloads MZ/PE file
Checks computer location settings
Windows security modification
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops desktop.ini file(s)
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Runs ping.exe
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Creates scheduled task(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-06 21:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-06 21:59
Reported
2023-05-06 23:42
Platform
win7-20230220-en
Max time kernel
245s
Max time network
332s
Command Line
Signatures
Amadey
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe | N/A |
Loads dropped DLL
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe
"C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
Network
| Country | Destination | Domain | Proto |
| N/A | 185.161.248.72:38452 | tcp | |
| N/A | 185.161.248.72:38452 | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
| MD5 | cb7724f0cfbc465a48b1832d3419edd7 |
| SHA1 | f8553bffe63bbc454ef98c6c1ec3736b9e0a81aa |
| SHA256 | 0a77eec7259fe2048bd127f7be7af966085f73415221dd04457713348393b940 |
| SHA512 | f646e478eacb637adb358d6d3a367259de84b078465656a77f62e9d0b7443589ddfd79138730ae317649d0a1cc2b7b89a5d0c30b7f083c25671dd57c6881e933 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
| MD5 | cb7724f0cfbc465a48b1832d3419edd7 |
| SHA1 | f8553bffe63bbc454ef98c6c1ec3736b9e0a81aa |
| SHA256 | 0a77eec7259fe2048bd127f7be7af966085f73415221dd04457713348393b940 |
| SHA512 | f646e478eacb637adb358d6d3a367259de84b078465656a77f62e9d0b7443589ddfd79138730ae317649d0a1cc2b7b89a5d0c30b7f083c25671dd57c6881e933 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
| MD5 | cb7724f0cfbc465a48b1832d3419edd7 |
| SHA1 | f8553bffe63bbc454ef98c6c1ec3736b9e0a81aa |
| SHA256 | 0a77eec7259fe2048bd127f7be7af966085f73415221dd04457713348393b940 |
| SHA512 | f646e478eacb637adb358d6d3a367259de84b078465656a77f62e9d0b7443589ddfd79138730ae317649d0a1cc2b7b89a5d0c30b7f083c25671dd57c6881e933 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
| MD5 | cb7724f0cfbc465a48b1832d3419edd7 |
| SHA1 | f8553bffe63bbc454ef98c6c1ec3736b9e0a81aa |
| SHA256 | 0a77eec7259fe2048bd127f7be7af966085f73415221dd04457713348393b940 |
| SHA512 | f646e478eacb637adb358d6d3a367259de84b078465656a77f62e9d0b7443589ddfd79138730ae317649d0a1cc2b7b89a5d0c30b7f083c25671dd57c6881e933 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
| MD5 | 2c370254d2b62b9fa0a22d82556bb9db |
| SHA1 | 98dd76e9e34d752e6110a70e514f8dc94e914ebd |
| SHA256 | ecbed5e995e73dd69c417d6a3a422f3c93d1149c6a8acbed56f181535208463b |
| SHA512 | 9d0aab28dd1c4865053fd9995ded31ca14da398d2c407b46253f10abe079159fb9cace32312e25402463a24b727930db0edefebe5b8da9d57ac4493603845843 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
| MD5 | 2c370254d2b62b9fa0a22d82556bb9db |
| SHA1 | 98dd76e9e34d752e6110a70e514f8dc94e914ebd |
| SHA256 | ecbed5e995e73dd69c417d6a3a422f3c93d1149c6a8acbed56f181535208463b |
| SHA512 | 9d0aab28dd1c4865053fd9995ded31ca14da398d2c407b46253f10abe079159fb9cace32312e25402463a24b727930db0edefebe5b8da9d57ac4493603845843 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
| MD5 | 2c370254d2b62b9fa0a22d82556bb9db |
| SHA1 | 98dd76e9e34d752e6110a70e514f8dc94e914ebd |
| SHA256 | ecbed5e995e73dd69c417d6a3a422f3c93d1149c6a8acbed56f181535208463b |
| SHA512 | 9d0aab28dd1c4865053fd9995ded31ca14da398d2c407b46253f10abe079159fb9cace32312e25402463a24b727930db0edefebe5b8da9d57ac4493603845843 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
| MD5 | 2c370254d2b62b9fa0a22d82556bb9db |
| SHA1 | 98dd76e9e34d752e6110a70e514f8dc94e914ebd |
| SHA256 | ecbed5e995e73dd69c417d6a3a422f3c93d1149c6a8acbed56f181535208463b |
| SHA512 | 9d0aab28dd1c4865053fd9995ded31ca14da398d2c407b46253f10abe079159fb9cace32312e25402463a24b727930db0edefebe5b8da9d57ac4493603845843 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
| MD5 | 2013df3ab4c393dbfeb56100e4c414a6 |
| SHA1 | 1a0e09673ca2c1e3bfd7b5ed5e03cead327f3ac2 |
| SHA256 | 1081bd699d986ef6b0fc0d99c1dbb1c26bdfacc89249078e611c3cba538bd878 |
| SHA512 | 7bd1d58142e9b9346096b297fa286f1bf7f161e246caa27774255e91416357de9b481675fc9f63430b2dd399758521166130e7f3ce590bfc2462a3e28d0b15fb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
| MD5 | 2013df3ab4c393dbfeb56100e4c414a6 |
| SHA1 | 1a0e09673ca2c1e3bfd7b5ed5e03cead327f3ac2 |
| SHA256 | 1081bd699d986ef6b0fc0d99c1dbb1c26bdfacc89249078e611c3cba538bd878 |
| SHA512 | 7bd1d58142e9b9346096b297fa286f1bf7f161e246caa27774255e91416357de9b481675fc9f63430b2dd399758521166130e7f3ce590bfc2462a3e28d0b15fb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
| MD5 | 2013df3ab4c393dbfeb56100e4c414a6 |
| SHA1 | 1a0e09673ca2c1e3bfd7b5ed5e03cead327f3ac2 |
| SHA256 | 1081bd699d986ef6b0fc0d99c1dbb1c26bdfacc89249078e611c3cba538bd878 |
| SHA512 | 7bd1d58142e9b9346096b297fa286f1bf7f161e246caa27774255e91416357de9b481675fc9f63430b2dd399758521166130e7f3ce590bfc2462a3e28d0b15fb |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
| MD5 | 2013df3ab4c393dbfeb56100e4c414a6 |
| SHA1 | 1a0e09673ca2c1e3bfd7b5ed5e03cead327f3ac2 |
| SHA256 | 1081bd699d986ef6b0fc0d99c1dbb1c26bdfacc89249078e611c3cba538bd878 |
| SHA512 | 7bd1d58142e9b9346096b297fa286f1bf7f161e246caa27774255e91416357de9b481675fc9f63430b2dd399758521166130e7f3ce590bfc2462a3e28d0b15fb |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
| MD5 | 6bb86793dc581b29147c2d4d5bad8ce6 |
| SHA1 | c5ffe67ea0f190d661779969a5da2b843e9eaf6d |
| SHA256 | ccf25cf1cb0269655e2003b30ed9fdc3d0225bb49b91bc301978e809bcf517bd |
| SHA512 | 376e2188605a7c9f9d69a01960b2ff2554060adc7b254ba5c827be86b3e100b628abe281231d09d29e85ba8230f2f08be4d41b0a035da6914bfeec8994559d52 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
| MD5 | 6bb86793dc581b29147c2d4d5bad8ce6 |
| SHA1 | c5ffe67ea0f190d661779969a5da2b843e9eaf6d |
| SHA256 | ccf25cf1cb0269655e2003b30ed9fdc3d0225bb49b91bc301978e809bcf517bd |
| SHA512 | 376e2188605a7c9f9d69a01960b2ff2554060adc7b254ba5c827be86b3e100b628abe281231d09d29e85ba8230f2f08be4d41b0a035da6914bfeec8994559d52 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
| MD5 | 6bb86793dc581b29147c2d4d5bad8ce6 |
| SHA1 | c5ffe67ea0f190d661779969a5da2b843e9eaf6d |
| SHA256 | ccf25cf1cb0269655e2003b30ed9fdc3d0225bb49b91bc301978e809bcf517bd |
| SHA512 | 376e2188605a7c9f9d69a01960b2ff2554060adc7b254ba5c827be86b3e100b628abe281231d09d29e85ba8230f2f08be4d41b0a035da6914bfeec8994559d52 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
| MD5 | 6bb86793dc581b29147c2d4d5bad8ce6 |
| SHA1 | c5ffe67ea0f190d661779969a5da2b843e9eaf6d |
| SHA256 | ccf25cf1cb0269655e2003b30ed9fdc3d0225bb49b91bc301978e809bcf517bd |
| SHA512 | 376e2188605a7c9f9d69a01960b2ff2554060adc7b254ba5c827be86b3e100b628abe281231d09d29e85ba8230f2f08be4d41b0a035da6914bfeec8994559d52 |
memory/1672-94-0x00000000005E0000-0x00000000005FA000-memory.dmp
memory/1672-95-0x0000000001FB0000-0x0000000001FC8000-memory.dmp
memory/1672-96-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-97-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-99-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-101-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-103-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-105-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-107-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-111-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-109-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-113-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-117-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-115-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-119-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-123-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-121-0x0000000001FB0000-0x0000000001FC3000-memory.dmp
memory/1672-124-0x0000000004A80000-0x0000000004AC0000-memory.dmp
memory/1672-125-0x0000000004A80000-0x0000000004AC0000-memory.dmp
memory/1672-126-0x0000000004A80000-0x0000000004AC0000-memory.dmp
memory/1672-127-0x0000000004A80000-0x0000000004AC0000-memory.dmp
memory/1672-128-0x0000000004A80000-0x0000000004AC0000-memory.dmp
memory/1672-129-0x0000000004A80000-0x0000000004AC0000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
| MD5 | 72627a85c40f3bdaf6b6b451f742f1e9 |
| SHA1 | 44a15ee128d050db7dca4884f1ccd2f584d7915e |
| SHA256 | fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7 |
| SHA512 | 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
| MD5 | 72627a85c40f3bdaf6b6b451f742f1e9 |
| SHA1 | 44a15ee128d050db7dca4884f1ccd2f584d7915e |
| SHA256 | fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7 |
| SHA512 | 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
| MD5 | 72627a85c40f3bdaf6b6b451f742f1e9 |
| SHA1 | 44a15ee128d050db7dca4884f1ccd2f584d7915e |
| SHA256 | fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7 |
| SHA512 | 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
| MD5 | 72627a85c40f3bdaf6b6b451f742f1e9 |
| SHA1 | 44a15ee128d050db7dca4884f1ccd2f584d7915e |
| SHA256 | fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7 |
| SHA512 | 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
| MD5 | 72627a85c40f3bdaf6b6b451f742f1e9 |
| SHA1 | 44a15ee128d050db7dca4884f1ccd2f584d7915e |
| SHA256 | fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7 |
| SHA512 | 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
| MD5 | 72627a85c40f3bdaf6b6b451f742f1e9 |
| SHA1 | 44a15ee128d050db7dca4884f1ccd2f584d7915e |
| SHA256 | fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7 |
| SHA512 | 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed |
memory/1944-140-0x00000000005B0000-0x00000000005CA000-memory.dmp
memory/1944-141-0x0000000000B40000-0x0000000000B58000-memory.dmp
memory/1944-142-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-143-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-145-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-147-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-149-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-151-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-153-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-155-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-157-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-159-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-161-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-163-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-165-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-167-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-169-0x0000000000B40000-0x0000000000B52000-memory.dmp
memory/1944-170-0x0000000000240000-0x000000000026D000-memory.dmp
memory/1944-171-0x0000000004BC0000-0x0000000004C00000-memory.dmp
memory/1944-172-0x0000000004BC0000-0x0000000004C00000-memory.dmp
memory/1944-173-0x0000000004BC0000-0x0000000004C00000-memory.dmp
memory/1944-174-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1944-175-0x0000000004BC0000-0x0000000004C00000-memory.dmp
memory/1944-176-0x0000000004BC0000-0x0000000004C00000-memory.dmp
memory/1944-177-0x0000000004BC0000-0x0000000004C00000-memory.dmp
memory/1944-179-0x0000000000400000-0x0000000000466000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
memory/1608-186-0x00000000009D0000-0x00000000009D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
| MD5 | ca0980a62c6480dabf9d26117d623f05 |
| SHA1 | bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63 |
| SHA256 | 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995 |
| SHA512 | 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b |
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
| MD5 | ca0980a62c6480dabf9d26117d623f05 |
| SHA1 | bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63 |
| SHA256 | 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995 |
| SHA512 | 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
| MD5 | ca0980a62c6480dabf9d26117d623f05 |
| SHA1 | bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63 |
| SHA256 | 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995 |
| SHA512 | 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b |
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
| MD5 | ca0980a62c6480dabf9d26117d623f05 |
| SHA1 | bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63 |
| SHA256 | 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995 |
| SHA512 | 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
| MD5 | ca0980a62c6480dabf9d26117d623f05 |
| SHA1 | bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63 |
| SHA256 | 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995 |
| SHA512 | 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
| MD5 | ca0980a62c6480dabf9d26117d623f05 |
| SHA1 | bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63 |
| SHA256 | 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995 |
| SHA512 | 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b |
memory/1636-207-0x0000000001E70000-0x0000000001EAC000-memory.dmp
memory/1636-208-0x0000000001ED0000-0x0000000001F0A000-memory.dmp
memory/1636-210-0x0000000001ED0000-0x0000000001F05000-memory.dmp
memory/1636-212-0x0000000001ED0000-0x0000000001F05000-memory.dmp
memory/1636-209-0x0000000001ED0000-0x0000000001F05000-memory.dmp
memory/1636-745-0x00000000007E0000-0x0000000000826000-memory.dmp
memory/1636-747-0x0000000002170000-0x00000000021B0000-memory.dmp
memory/1636-749-0x0000000002170000-0x00000000021B0000-memory.dmp
memory/1636-751-0x0000000002170000-0x00000000021B0000-memory.dmp
memory/1636-1005-0x0000000002170000-0x00000000021B0000-memory.dmp
memory/1636-1007-0x0000000002170000-0x00000000021B0000-memory.dmp
memory/1636-1009-0x0000000002170000-0x00000000021B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-06 21:59
Reported
2023-05-06 23:39
Platform
win10v2004-20230220-en
Max time kernel
153s
Max time network
156s
Command Line
Signatures
Amadey
AsyncRat
Detects Redline Stealer samples
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
RedLine
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation | C:\ProgramData\07900588628047328197.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation | C:\ProgramData\46777832471797123856.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Videos\Captures\desktop.ini | C:\Windows\system32\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3060 set thread context of 4300 | N/A | C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif | C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif |
| PID 1028 set thread context of 1036 | N/A | C:\ProgramData\07900588628047328197.exe | C:\ProgramData\07900588628047328197.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4238149048-355649189-894321705-1000\{A6B3229E-0612-46BD-8EFC-4BD6478802EE} | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4238149048-355649189-894321705-1000\{5F21EE14-2C92-4D6A-9A4D-018D5E9FD34D} | C:\Windows\system32\svchost.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\07900588628047328197.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\07900588628047328197.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\ProgramData\46777832471797123856.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe
"C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3932 -ip 3932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1092
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe
"C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe"
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe /TH_ID=_1564 /OriginExe="C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd < Yugoslavia
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avgui
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^TiesHighsFridayPromisedOrganismsPromotedStronglyBannersTermExplainOrganisedPhpLastingMaritime$" Finding
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
29190\\Bondage.exe.pif 29190\\M
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 18
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "dZVxEGlqbg" /tr "C:\Users\Admin\AppData\Roaming\claRXiEwVe\dZVxEGlqbg.exe.com C:\Users\Admin\AppData\Roaming\claRXiEwVe\H" /sc onlogon /F /RL HIGHEST
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\ProgramData\07900588628047328197.exe
"C:\ProgramData\07900588628047328197.exe"
C:\ProgramData\46777832471797123856.exe
"C:\ProgramData\46777832471797123856.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe; Set-MpPreference -SubmitSamplesConsent NeverSend -PUAProtection Disabled
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoJFlNPT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF3F.tmp"
C:\ProgramData\07900588628047328197.exe
"{path}"
C:\ProgramData\07900588628047328197.exe
"{path}"
C:\ProgramData\07900588628047328197.exe
"{path}"
C:\ProgramData\07900588628047328197.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 20.189.173.14:443 | tcp | |
| AT | 212.113.119.255:80 | 212.113.119.255 | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 255.119.113.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 67.55.52.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.25.221.88.in-addr.arpa | udp |
| N/A | 185.161.248.72:38452 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | KGpmZSONULDSRs.KGpmZSONULDSRs | udp |
| US | 40.125.122.176:443 | tcp | |
| N/A | 185.161.248.72:38452 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| N/A | 185.161.248.72:38452 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 168.119.169.139:131 | 168.119.169.139 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.249.124.192.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 139.169.119.168.in-addr.arpa | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| N/A | 185.161.248.72:38452 | tcp | |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 54.231.226.153:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 153.226.231.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocsp.r2m01.amazontrust.com | udp |
| NL | 54.192.87.164:80 | ocsp.r2m01.amazontrust.com | tcp |
| US | 8.8.8.8:53 | 76.61.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.87.192.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.137.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | addons.smgsuite.com | udp |
| US | 188.114.96.0:443 | addons.smgsuite.com | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | smgsuite.com | udp |
| US | 188.114.97.0:443 | smgsuite.com | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| N/A | 185.161.248.72:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
| MD5 | cb7724f0cfbc465a48b1832d3419edd7 |
| SHA1 | f8553bffe63bbc454ef98c6c1ec3736b9e0a81aa |
| SHA256 | 0a77eec7259fe2048bd127f7be7af966085f73415221dd04457713348393b940 |
| SHA512 | f646e478eacb637adb358d6d3a367259de84b078465656a77f62e9d0b7443589ddfd79138730ae317649d0a1cc2b7b89a5d0c30b7f083c25671dd57c6881e933 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
| MD5 | cb7724f0cfbc465a48b1832d3419edd7 |
| SHA1 | f8553bffe63bbc454ef98c6c1ec3736b9e0a81aa |
| SHA256 | 0a77eec7259fe2048bd127f7be7af966085f73415221dd04457713348393b940 |
| SHA512 | f646e478eacb637adb358d6d3a367259de84b078465656a77f62e9d0b7443589ddfd79138730ae317649d0a1cc2b7b89a5d0c30b7f083c25671dd57c6881e933 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
| MD5 | 2c370254d2b62b9fa0a22d82556bb9db |
| SHA1 | 98dd76e9e34d752e6110a70e514f8dc94e914ebd |
| SHA256 | ecbed5e995e73dd69c417d6a3a422f3c93d1149c6a8acbed56f181535208463b |
| SHA512 | 9d0aab28dd1c4865053fd9995ded31ca14da398d2c407b46253f10abe079159fb9cace32312e25402463a24b727930db0edefebe5b8da9d57ac4493603845843 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
| MD5 | 2c370254d2b62b9fa0a22d82556bb9db |
| SHA1 | 98dd76e9e34d752e6110a70e514f8dc94e914ebd |
| SHA256 | ecbed5e995e73dd69c417d6a3a422f3c93d1149c6a8acbed56f181535208463b |
| SHA512 | 9d0aab28dd1c4865053fd9995ded31ca14da398d2c407b46253f10abe079159fb9cace32312e25402463a24b727930db0edefebe5b8da9d57ac4493603845843 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
| MD5 | 2013df3ab4c393dbfeb56100e4c414a6 |
| SHA1 | 1a0e09673ca2c1e3bfd7b5ed5e03cead327f3ac2 |
| SHA256 | 1081bd699d986ef6b0fc0d99c1dbb1c26bdfacc89249078e611c3cba538bd878 |
| SHA512 | 7bd1d58142e9b9346096b297fa286f1bf7f161e246caa27774255e91416357de9b481675fc9f63430b2dd399758521166130e7f3ce590bfc2462a3e28d0b15fb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
| MD5 | 2013df3ab4c393dbfeb56100e4c414a6 |
| SHA1 | 1a0e09673ca2c1e3bfd7b5ed5e03cead327f3ac2 |
| SHA256 | 1081bd699d986ef6b0fc0d99c1dbb1c26bdfacc89249078e611c3cba538bd878 |
| SHA512 | 7bd1d58142e9b9346096b297fa286f1bf7f161e246caa27774255e91416357de9b481675fc9f63430b2dd399758521166130e7f3ce590bfc2462a3e28d0b15fb |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
| MD5 | 6bb86793dc581b29147c2d4d5bad8ce6 |
| SHA1 | c5ffe67ea0f190d661779969a5da2b843e9eaf6d |
| SHA256 | ccf25cf1cb0269655e2003b30ed9fdc3d0225bb49b91bc301978e809bcf517bd |
| SHA512 | 376e2188605a7c9f9d69a01960b2ff2554060adc7b254ba5c827be86b3e100b628abe281231d09d29e85ba8230f2f08be4d41b0a035da6914bfeec8994559d52 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
| MD5 | 6bb86793dc581b29147c2d4d5bad8ce6 |
| SHA1 | c5ffe67ea0f190d661779969a5da2b843e9eaf6d |
| SHA256 | ccf25cf1cb0269655e2003b30ed9fdc3d0225bb49b91bc301978e809bcf517bd |
| SHA512 | 376e2188605a7c9f9d69a01960b2ff2554060adc7b254ba5c827be86b3e100b628abe281231d09d29e85ba8230f2f08be4d41b0a035da6914bfeec8994559d52 |
memory/3896-161-0x0000000002350000-0x0000000002360000-memory.dmp
memory/3896-162-0x0000000002350000-0x0000000002360000-memory.dmp
memory/3896-163-0x0000000002350000-0x0000000002360000-memory.dmp
memory/3896-164-0x00000000049C0000-0x0000000004F64000-memory.dmp
memory/3896-165-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-166-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-168-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-170-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-172-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-174-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-176-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-178-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-180-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-182-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-184-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-192-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-190-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-188-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-186-0x0000000002360000-0x0000000002373000-memory.dmp
memory/3896-193-0x0000000002350000-0x0000000002360000-memory.dmp
memory/3896-194-0x0000000002350000-0x0000000002360000-memory.dmp
memory/3896-195-0x0000000002350000-0x0000000002360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
| MD5 | 72627a85c40f3bdaf6b6b451f742f1e9 |
| SHA1 | 44a15ee128d050db7dca4884f1ccd2f584d7915e |
| SHA256 | fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7 |
| SHA512 | 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
| MD5 | 72627a85c40f3bdaf6b6b451f742f1e9 |
| SHA1 | 44a15ee128d050db7dca4884f1ccd2f584d7915e |
| SHA256 | fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7 |
| SHA512 | 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed |
memory/3932-201-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-202-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-204-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-206-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-208-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-210-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-212-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-214-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-216-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-218-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-220-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-222-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-224-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-226-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-228-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3932-229-0x00000000005E0000-0x000000000060D000-memory.dmp
memory/3932-230-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
memory/3932-231-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
memory/3932-232-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
memory/3932-233-0x0000000000400000-0x0000000000466000-memory.dmp
memory/3932-235-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
memory/3932-236-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
memory/3932-237-0x0000000000400000-0x0000000000466000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
| MD5 | ca0980a62c6480dabf9d26117d623f05 |
| SHA1 | bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63 |
| SHA256 | 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995 |
| SHA512 | 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
| MD5 | ca0980a62c6480dabf9d26117d623f05 |
| SHA1 | bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63 |
| SHA256 | 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995 |
| SHA512 | 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b |
memory/2904-255-0x00000000005D0000-0x0000000000616000-memory.dmp
memory/2904-256-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
memory/2904-257-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
memory/2904-258-0x00000000024C0000-0x00000000024F5000-memory.dmp
memory/2904-259-0x00000000024C0000-0x00000000024F5000-memory.dmp
memory/2904-261-0x00000000024C0000-0x00000000024F5000-memory.dmp
memory/2904-263-0x00000000024C0000-0x00000000024F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe
| MD5 | 4f24c94182a964c6706c1920a73822c0 |
| SHA1 | 5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0 |
| SHA256 | 45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3 |
| SHA512 | d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd |
C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe
| MD5 | 4f24c94182a964c6706c1920a73822c0 |
| SHA1 | 5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0 |
| SHA256 | 45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3 |
| SHA512 | d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd |
C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe
| MD5 | 4f24c94182a964c6706c1920a73822c0 |
| SHA1 | 5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0 |
| SHA256 | 45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3 |
| SHA512 | d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd |
memory/2904-1074-0x0000000007620000-0x0000000007C38000-memory.dmp
memory/2904-1075-0x0000000002720000-0x0000000002732000-memory.dmp
memory/2904-1076-0x0000000007C40000-0x0000000007D4A000-memory.dmp
memory/2904-1093-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
memory/2904-1094-0x0000000007D50000-0x0000000007D8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe
| MD5 | e4656c54b03a03f816ab33101a324cdc |
| SHA1 | 48cd8d9c5a20d36362214d727e184fe4e0075d4f |
| SHA256 | bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba |
| SHA512 | c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba |
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe
| MD5 | e4656c54b03a03f816ab33101a324cdc |
| SHA1 | 48cd8d9c5a20d36362214d727e184fe4e0075d4f |
| SHA256 | bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba |
| SHA512 | c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba |
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Setup.txt
| MD5 | 9f82e028a899fe0dded45d76ed1ed06f |
| SHA1 | fc0e0f3e34451087e28d8c51c486a52934e59d4a |
| SHA256 | 3dd4285197d7ad7004789eee6464594666ae8e5d913bec23e57151608bd3b109 |
| SHA512 | 22d4ad271965c8c5fbe038ead00cb374c299e89f7d669ea7657064e5b3c18f4dc7f9d51b102dc388c6f79e805c7196c085edf6e990e6bb33c41ac36854192b18 |
memory/1036-1099-0x0000000000700000-0x0000000000701000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Modern_Icon.bmp
| MD5 | 1dd88f67f029710d5c5858a6293a93f1 |
| SHA1 | 3e5ef66613415fe9467b2a24ccc27d8f997e7df6 |
| SHA256 | b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532 |
| SHA512 | 7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94 |
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00008#Welfare
| MD5 | f5802553964d59c3874a7ea7f0313c68 |
| SHA1 | 106f605a2e7704cb8341b27ca982f5f70d09bc0f |
| SHA256 | 35cc1497dc397cf46815bfb41953a134170bbea3fd0d5178ca45b6bbb01084f9 |
| SHA512 | 8f495fc3ceda40788b3dc7a2eec223e3d40b5edf1ff4ed159f20a256f1ba71d8baba135b3b1bf9f6f07851dc99bd4e29fd2af1bc7984bccca4fc390c0fc83b23 |
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00001#Foto
| MD5 | 60ad6b661b7d878936b63c39e7d94555 |
| SHA1 | 655ca3b2c75ad015a02470c92e8d7b9d58541524 |
| SHA256 | 650f797d33d5ecf29e1876324de2507a3b97cad3cc00c1e25ff02420a2e4e70e |
| SHA512 | f44b3d36f26666c079354085471d44b2838c24553fd0797e12c3c96b14794aa24073574379e1e0abce3b38aaaa179dd1bf05c51ca3831aff82c90fe6699cc606 |
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00009#Wines
| MD5 | 31ae6922272bfd6c6a863b679940d005 |
| SHA1 | df93b1021c3bb2087b249a82d4cbcd599659fcd6 |
| SHA256 | 77031c9bf9a778abef4672a2b749dd7fb662a29b3e69ea391fe04dd4944601d8 |
| SHA512 | f0765279accdefbf611088e92433d258700bc97d28468b6cbd34c1be5b7cf27a54763009214bd4ce052c4bec87debd9464e2f040028fba40fb32da20d82669bd |
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00002#Gp
| MD5 | 4f39ba8b1c907e52d53215ea79a1896f |
| SHA1 | 975c70c4973697cce66c149a00cc8b20e79526be |
| SHA256 | ace9abce7314ca6736b6b6acf5a1f96c7d24f7764678f99ffb795a897a6e7bf2 |
| SHA512 | e862921fbad7a8118a1c12f1c9ca33b7f41251b69b0dc48dcbf3c40350174f5db8946c75797b0042e3d9633821b66e523212a1998a901f712bc8b0053d1e7572 |
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00004#Piece
| MD5 | bf7a0cdf40d3aa9fc94c9accd73298d2 |
| SHA1 | a049a7323a8468d1bbd3e96a1ace4266fce4429c |
| SHA256 | 96eab71166cc7df7ec1eae988487d76d463c080f1da98b194bc60a1701e5d3ae |
| SHA512 | 6a0eb5de2f23ff986c90835b7b24e5299fdb882186bcc88fece6a6a4363871dda00b8313ee729557778cf4c14456e9c25d79108be35f31df1d9b697f5d89009e |
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00006#Stands
| MD5 | 4a1f67fc0cacc5cf1c9ab1ab05e25ec6 |
| SHA1 | e955600ae7c0f6bec15a4126f1be10acc6a6b875 |
| SHA256 | ed299bf8533de2b3f0965295aa5be53e8486dfa0887e20de0b4c6c2fd3b30b4b |
| SHA512 | e0f1a52209c13937afcdb954e59daba04d80f82cba702788e1d6d359f2e4dd189d01455f32a167b6014c68e5d670686d2ace1bfea0b8c31b3c91f2f052669675 |
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00003#Management
| MD5 | b0525ab549845919679f78453f554c1f |
| SHA1 | 3d2179acba0634cc71003502923c3a4a52b31d14 |
| SHA256 | 31c86eb615672da32e64560553d46cb18c25e7ea794e4637cfac3c4be0a9fb47 |
| SHA512 | b983c3517cf878e99ad94d0227c25edb52e82c5ead93c7cbfa6ea2543d483db20be2f210029237131e8e5517497e910abcdb119edf88cdb7eac9e61c4f2a3087 |
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00000#Cancer
| MD5 | d4c65e691f5a42538b02417f60c042be |
| SHA1 | 7726b2bd52dc94a9d3e79f2e82e92dd8820997ad |
| SHA256 | d71b5a80bc3d6fce71c6fc6efb62542bd5536d7d3805d92067a29f512bd12c33 |
| SHA512 | e487f30b27b178a09d381802767f7425d63e6538bc9b0d5406ea39cf7f7c2c586d53850e460b897a49014b61e75ffbe817b4a93b9460a18ed89d223048dab62f |
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00010#Yugoslavia
| MD5 | 9852c7adb40127bf8e29ae2346482129 |
| SHA1 | d5decd97f329dc62f824a17b204a214a83a1292b |
| SHA256 | 85ad2b1fd775ecd859922d5550f76f87f8e8e9dd84d878ee786450a8aefee1ac |
| SHA512 | 0a89fa89340df63de408b106ac4503a649ac2bf60978f40452263b8690d81cedf9d812e4b71988a84e6fdb36fdd8dfc0ec30a78d1df2f0cb044b7afa3accc56b |
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00007#Sue
| MD5 | f51e203d3f2ac1e4f6ed5a89f5805fcb |
| SHA1 | 76195a680f2e178c03d35719a0adc776fe901289 |
| SHA256 | c6a7beb722fefad0a7f6f2057cbfda9a8cec198e56f2946191aeb9de7578b2ca |
| SHA512 | 8c2ab71bf608066d3a63cdac2924d8a6d6c983e8257aed07691f5dace70442de5e72ba0f3bfe8b6395314178ddde219ca5005e65aed305165a06cae2dba16bec |
C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00005#Prototype
| MD5 | ad1b6b16c6c6c23f01288183183ed0c1 |
| SHA1 | b60363ebd25d9953f202423b34e0c81fa24dafb6 |
| SHA256 | 94fca15d4913ccc5955aef8942cb475306a6815190fe27ff742b40a808ff860e |
| SHA512 | d461bf0dd5b20b1cb5dc07128be156b3ab144607c5794956635ca7ce90a2d643d539b2f6dd063c8889e01e074db74cacd41940a3d3bb53cd2406f77f0ccac6ce |
memory/484-1113-0x0000000002A20000-0x0000000002A56000-memory.dmp
memory/2904-1114-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
memory/2904-1115-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
memory/2904-1116-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
C:\Users\Admin\Videos\Captures\desktop.ini
| MD5 | b0d27eaec71f1cd73b015f5ceeb15f9d |
| SHA1 | 62264f8b5c2f5034a1e4143df6e8c787165fbc2f |
| SHA256 | 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2 |
| SHA512 | 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c |
memory/484-1131-0x0000000005630000-0x0000000005C58000-memory.dmp
memory/484-1132-0x0000000004FF0000-0x0000000005000000-memory.dmp
memory/484-1133-0x0000000005460000-0x0000000005482000-memory.dmp
memory/484-1134-0x0000000005C60000-0x0000000005CC6000-memory.dmp
memory/484-1135-0x0000000005CD0000-0x0000000005D36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_koncyyv1.0bn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/484-1146-0x00000000063C0000-0x00000000063DE000-memory.dmp
memory/484-1147-0x0000000006930000-0x00000000069C6000-memory.dmp
memory/484-1148-0x00000000068B0000-0x00000000068CA000-memory.dmp
memory/484-1149-0x0000000006900000-0x0000000006922000-memory.dmp
memory/2904-1151-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | def65711d78669d7f8e69313be4acf2e |
| SHA1 | 6522ebf1de09eeb981e270bd95114bc69a49cda6 |
| SHA256 | aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c |
| SHA512 | 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7 |
memory/64-1164-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
memory/1036-1165-0x0000000000700000-0x0000000000701000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 24e5a6f9d5c5924aea695e04b3f429ec |
| SHA1 | b97b6ab3cbe1ef82834ea97d5566389069382a68 |
| SHA256 | 4bc7cba82a38d8a16d4e700e9992e3104aeee0932755f4006b97fd0f6a971642 |
| SHA512 | 279c376b84f761cae858bb91d3b68131744463da27201379b1ea0645b9c27bcabcd3c90ec3e8c2c7b4970d8ee9c4767e96bcd306d782cfac6b27a6294701b1d7 |
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\Finding
| MD5 | f39dff6e12fa4e21277d39149fa7da7e |
| SHA1 | 804aa8256d1a98311d737e13ef62db0fa7d15ec0 |
| SHA256 | 27deb687c50fe4c33b19f43ccb0d4cbdaa8292511df2a93c138d6740862e9fd0 |
| SHA512 | cceca80987fcfad926734a7c2ed16919a237ceb02f391fe9de667405f014498b10bcf735547e5ee53f9b146ed56b24db025be285422c53dac2770f1885d31f5c |
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
| MD5 | 0162a97ed477353bc35776a7addffd5c |
| SHA1 | 10db8fe20bbce0f10517c510ec73532cf6feb227 |
| SHA256 | 15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571 |
| SHA512 | 9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5 |
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
| MD5 | 0162a97ed477353bc35776a7addffd5c |
| SHA1 | 10db8fe20bbce0f10517c510ec73532cf6feb227 |
| SHA256 | 15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571 |
| SHA512 | 9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5 |
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
memory/3060-1184-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 73df88d68a4f5e066784d462788cf695 |
| SHA1 | e4bfed336848d0b622fa464d40cf4bd9222aab3f |
| SHA256 | f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f |
| SHA512 | 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 73df88d68a4f5e066784d462788cf695 |
| SHA1 | e4bfed336848d0b622fa464d40cf4bd9222aab3f |
| SHA256 | f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f |
| SHA512 | 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 73df88d68a4f5e066784d462788cf695 |
| SHA1 | e4bfed336848d0b622fa464d40cf4bd9222aab3f |
| SHA256 | f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f |
| SHA512 | 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817 |
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
| MD5 | 0162a97ed477353bc35776a7addffd5c |
| SHA1 | 10db8fe20bbce0f10517c510ec73532cf6feb227 |
| SHA256 | 15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571 |
| SHA512 | 9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 60fe01df86be2e5331b0cdbe86165686 |
| SHA1 | 2a79f9713c3f192862ff80508062e64e8e0b29bd |
| SHA256 | c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8 |
| SHA512 | ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | 3bbe7b7fccd20dfed4aa22e8e7aaec66 |
| SHA1 | d1d9415af152a91d8aba2d8f8560814bd588578b |
| SHA256 | 29cab0a843da9ccae464d1f1fe7e00ee59e59e8a5420f155f739d6560c2d7e70 |
| SHA512 | 9be492d1d2d106c829fdf9dbae9980b5cc8ff34256c3e6a34821bfd0a7d35634dfca95f600f80dda416731a465bf26e927651f02629b6ba9e839153ac0e3334a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59C287033A8C5F95779AE0F50A84C0D2
| MD5 | da32a725c31f3e5319181849341f30bd |
| SHA1 | 2e73968cf57a25a784695060dcb9baf596d9d536 |
| SHA256 | 4a9c1be24aa10b0d061f9a87d3c03f3674cc7f833762fabf5d08efe82a9e7715 |
| SHA512 | 7b72948b4150c2f5aa93ae0be3af1e085c99687caf261bbb1e0a56279f6ddd42d58b7092643556e78d026824d5a941b30fa2ddf144335dd041fae4da32e76a82 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59C287033A8C5F95779AE0F50A84C0D2
| MD5 | 3f85e970f7c157b415e4c11c1319dbfd |
| SHA1 | 2e5c546c536c94f7f5e441ae3409731cd82574e6 |
| SHA256 | da5c69afb4a233d66a68eef5c8a83e3e84ddd305fa0afd6a8288e98a518398a1 |
| SHA512 | f91ac0c5b46ce16a935d2107d94112a2b65054d75407fa440887572cf676a438fb38bffb7fcb85f4f471a04ab61731e16b60dbb1dab39e93272def6ee2b600ff |
C:\ProgramData\07900588628047328197.exe
| MD5 | a63c4dc41c0b62c9ceb73be679ab932d |
| SHA1 | 42b1a611458102f8d4910de7f43c81238b313a03 |
| SHA256 | 2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e |
| SHA512 | e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec |
C:\ProgramData\07900588628047328197.exe
| MD5 | a63c4dc41c0b62c9ceb73be679ab932d |
| SHA1 | 42b1a611458102f8d4910de7f43c81238b313a03 |
| SHA256 | 2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e |
| SHA512 | e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec |
C:\ProgramData\07900588628047328197.exe
| MD5 | a63c4dc41c0b62c9ceb73be679ab932d |
| SHA1 | 42b1a611458102f8d4910de7f43c81238b313a03 |
| SHA256 | 2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e |
| SHA512 | e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec |
memory/1028-1313-0x0000000000170000-0x000000000020C000-memory.dmp
memory/1028-1314-0x0000000004A30000-0x0000000004ACC000-memory.dmp
memory/1028-1315-0x0000000004C10000-0x0000000004CA2000-memory.dmp
memory/1028-1316-0x0000000004B20000-0x0000000004B2A000-memory.dmp
memory/1028-1317-0x0000000004DE0000-0x0000000004E36000-memory.dmp
memory/1028-1321-0x0000000004DD0000-0x0000000004DE0000-memory.dmp
C:\ProgramData\46777832471797123856.exe
| MD5 | 718d69c7e8baa9b2fea5078ac9adf6b7 |
| SHA1 | b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75 |
| SHA256 | 21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936 |
| SHA512 | ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515 |
C:\ProgramData\46777832471797123856.exe
| MD5 | 718d69c7e8baa9b2fea5078ac9adf6b7 |
| SHA1 | b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75 |
| SHA256 | 21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936 |
| SHA512 | ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515 |
C:\ProgramData\46777832471797123856.exe
| MD5 | 718d69c7e8baa9b2fea5078ac9adf6b7 |
| SHA1 | b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75 |
| SHA256 | 21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936 |
| SHA512 | ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515 |
memory/3736-1346-0x00000000008F0000-0x0000000001259000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7d7278e76528dbcf5d6d37026fe66437 |
| SHA1 | 3039931e4fd849167ed09bc53e31e915cbbb8918 |
| SHA256 | 973b01756144bb8fed38d32bf86538ac217f257589e2f882d5afd5d1069f189a |
| SHA512 | 449e36155f3866490753b4bbf6c4d2f65637587cac71ce2eeaed280a87b1a783ae90e5d8b0a8844d5fbb880c3e8602b824aafa7b5ef06fac0389d855098eb312 |
memory/1064-1357-0x00000000029F0000-0x0000000002A00000-memory.dmp
memory/1064-1358-0x00000000029F0000-0x0000000002A00000-memory.dmp
memory/1064-1359-0x0000000007560000-0x0000000007592000-memory.dmp
memory/1028-1360-0x0000000004DD0000-0x0000000004DE0000-memory.dmp
memory/1064-1361-0x000000006F860000-0x000000006F8AC000-memory.dmp
memory/1064-1362-0x000000007EED0000-0x000000007EEE0000-memory.dmp
memory/1064-1372-0x0000000006930000-0x000000000694E000-memory.dmp
memory/1064-1373-0x0000000007D50000-0x00000000083CA000-memory.dmp
memory/1064-1374-0x0000000007720000-0x000000000772A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
| MD5 | e05249b60272a0a33974a9cf62a06a6c |
| SHA1 | 75c7ea58f69bc67d073375f5a23f7438ec78004b |
| SHA256 | c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068 |
| SHA512 | ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad |
memory/1064-1377-0x00000000076B0000-0x00000000076BE000-memory.dmp
memory/1064-1379-0x00000000079E0000-0x00000000079FA000-memory.dmp
memory/1064-1380-0x00000000079C0000-0x00000000079C8000-memory.dmp
memory/3736-1381-0x00000000008F0000-0x0000000001259000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDF3F.tmp
| MD5 | 77ec8ab3ef8b3ef2a686a15310512a3d |
| SHA1 | 692276bd162b83505cb99b85bb0466956a46ee7a |
| SHA256 | 209c3bbd86caced68e591bd6ca92caf036b70d0eb4a3ea74f23dbb0939920509 |
| SHA512 | 87d258f1974d0097c14e77835f1d5128b10fd5fc34862fb999e308a7c4afdcd44e62fd962ef1c3b00a988c1f920764f9ef0125a69e587831a6ca112fef6484fd |
C:\ProgramData\07900588628047328197.exe
| MD5 | a63c4dc41c0b62c9ceb73be679ab932d |
| SHA1 | 42b1a611458102f8d4910de7f43c81238b313a03 |
| SHA256 | 2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e |
| SHA512 | e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec |
C:\ProgramData\07900588628047328197.exe
| MD5 | a63c4dc41c0b62c9ceb73be679ab932d |
| SHA1 | 42b1a611458102f8d4910de7f43c81238b313a03 |
| SHA256 | 2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e |
| SHA512 | e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec |
C:\ProgramData\07900588628047328197.exe
| MD5 | a63c4dc41c0b62c9ceb73be679ab932d |
| SHA1 | 42b1a611458102f8d4910de7f43c81238b313a03 |
| SHA256 | 2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e |
| SHA512 | e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec |
C:\ProgramData\07900588628047328197.exe
| MD5 | a63c4dc41c0b62c9ceb73be679ab932d |
| SHA1 | 42b1a611458102f8d4910de7f43c81238b313a03 |
| SHA256 | 2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e |
| SHA512 | e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec |
memory/1036-1392-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1036-1394-0x0000000005040000-0x0000000005050000-memory.dmp