Analysis Overview
SHA256
2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723
Threat Level: Known bad
The file 2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723 was found to be: Known bad.
Malicious Activity Summary
CryptBot
RedLine payload
Amadey
Lumma Stealer, LummaC
RedLine
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Credentials from Password Stores: Credentials from Web Browsers
Downloads MZ/PE file
Reads data files stored by FTP clients
Identifies Wine through registry keys
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Checks BIOS information in registry
Unsecured Credentials: Credentials In Files
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-07 23:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-07 23:47
Reported
2024-09-07 23:50
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
CryptBot
Lumma Stealer, LummaC
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4396 set thread context of 1524 | N/A | C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2868 set thread context of 3136 | N/A | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4636 set thread context of 1600 | N/A | C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe | C:\Users\Admin\AppData\Local\Temp\svchost015.exe |
| PID 5528 set thread context of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost015.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\3eSeTt63OW.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\yaSY2E1Rte.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe
"C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\yaSY2E1Rte.exe
"C:\Users\Admin\AppData\Roaming\yaSY2E1Rte.exe"
C:\Users\Admin\AppData\Roaming\3eSeTt63OW.exe
"C:\Users\Admin\AppData\Roaming\3eSeTt63OW.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
"C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe"
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
"C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe"
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe
"C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe
"C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4412 -ip 4412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1172
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.117:80 | 185.215.113.117 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| DE | 95.179.250.45:26212 | tcp | |
| US | 8.8.8.8:53 | 45.250.179.95.in-addr.arpa | udp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| US | 8.8.8.8:53 | 26.113.215.185.in-addr.arpa | udp |
| FI | 65.21.18.51:45580 | tcp | |
| US | 8.8.8.8:53 | 51.18.21.65.in-addr.arpa | udp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| US | 154.216.17.216:80 | 154.216.17.216 | tcp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| US | 8.8.8.8:53 | 216.17.216.154.in-addr.arpa | udp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | 17.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.107.216.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| RU | 80.66.75.114:80 | 80.66.75.114 | tcp |
| US | 8.8.8.8:53 | 114.75.66.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sevtv17sb.top | udp |
| RU | 194.87.248.136:80 | sevtv17sb.top | tcp |
| US | 8.8.8.8:53 | 136.248.87.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivev5sb.top | udp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| US | 8.8.8.8:53 | 180.144.249.80.in-addr.arpa | udp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| RU | 185.215.113.67:15206 | tcp | |
| FI | 95.216.143.20:12695 | tcp | |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| US | 8.8.8.8:53 | 20.143.216.95.in-addr.arpa | udp |
| TM | 91.202.233.158:80 | 91.202.233.158 | tcp |
| US | 8.8.8.8:53 | 158.233.202.91.in-addr.arpa | udp |
| US | 103.130.147.211:80 | 103.130.147.211 | tcp |
| US | 8.8.8.8:53 | 211.147.130.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | millyscroqwp.shop | udp |
| US | 104.21.84.66:443 | millyscroqwp.shop | tcp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 8.8.8.8:53 | condedqpwqm.shop | udp |
| US | 172.67.146.35:443 | condedqpwqm.shop | tcp |
| US | 8.8.8.8:53 | 66.84.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/5104-0-0x0000000000280000-0x000000000072B000-memory.dmp
memory/5104-1-0x00000000775A4000-0x00000000775A6000-memory.dmp
memory/5104-2-0x0000000000281000-0x00000000002AF000-memory.dmp
memory/5104-3-0x0000000000280000-0x000000000072B000-memory.dmp
memory/5104-4-0x0000000000280000-0x000000000072B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | 0ff649344e3597b4503b3eae73162770 |
| SHA1 | 40eb73be0b58c73d423b618fd15b824c56eeeec1 |
| SHA256 | 2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723 |
| SHA512 | aac2ef05f94f2a28fdf89b905af728e4ae672159ebcf8e6dfcd92e4bef93b6d44e8966b99f3bc311ad886131df0aa7ceadde52327675447770586ec6895991f3 |
memory/1520-18-0x0000000000B90000-0x000000000103B000-memory.dmp
memory/5104-17-0x0000000000280000-0x000000000072B000-memory.dmp
memory/1520-19-0x0000000000B91000-0x0000000000BBF000-memory.dmp
memory/1520-20-0x0000000000B90000-0x000000000103B000-memory.dmp
memory/1520-21-0x0000000000B90000-0x000000000103B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
| MD5 | 2d647cf43622ed10b6d733bb5f048fc3 |
| SHA1 | 6b9c5f77a9ef064a23e5018178f982570cbc64c6 |
| SHA256 | 41426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6 |
| SHA512 | 62400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a |
memory/4396-42-0x00000000731BE000-0x00000000731BF000-memory.dmp
memory/4396-43-0x0000000000060000-0x00000000000B4000-memory.dmp
memory/1524-45-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1524-47-0x0000000005CA0000-0x0000000006244000-memory.dmp
memory/1524-48-0x0000000005790000-0x0000000005822000-memory.dmp
memory/1524-49-0x0000000005720000-0x000000000572A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp2219.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/1524-66-0x0000000006450000-0x00000000064C6000-memory.dmp
memory/1524-67-0x0000000006B10000-0x0000000006B2E000-memory.dmp
memory/1524-70-0x00000000074A0000-0x0000000007AB8000-memory.dmp
memory/1524-71-0x0000000006F90000-0x000000000709A000-memory.dmp
memory/1524-72-0x0000000006EC0000-0x0000000006ED2000-memory.dmp
memory/1524-73-0x0000000006F20000-0x0000000006F5C000-memory.dmp
memory/1524-74-0x00000000070A0000-0x00000000070EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
| MD5 | 8e74497aff3b9d2ddb7e7f819dfc69ba |
| SHA1 | 1d18154c206083ead2d30995ce2847cbeb6cdbc1 |
| SHA256 | d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66 |
| SHA512 | 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97 |
memory/2868-93-0x0000000000E40000-0x0000000000F52000-memory.dmp
memory/3136-97-0x0000000000400000-0x000000000050D000-memory.dmp
memory/3136-100-0x0000000000400000-0x000000000050D000-memory.dmp
memory/3136-99-0x0000000000400000-0x000000000050D000-memory.dmp
memory/3136-95-0x0000000000400000-0x000000000050D000-memory.dmp
C:\Users\Admin\AppData\Roaming\yaSY2E1Rte.exe
| MD5 | 88367533c12315805c059e688e7cdfe9 |
| SHA1 | 64a107adcbac381c10bd9c5271c2087b7aa369ec |
| SHA256 | c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9 |
| SHA512 | 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714 |
C:\Users\Admin\AppData\Roaming\3eSeTt63OW.exe
| MD5 | 30f46f4476cdc27691c7fdad1c255037 |
| SHA1 | b53415af5d01f8500881c06867a49a5825172e36 |
| SHA256 | 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0 |
| SHA512 | 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f |
memory/3136-121-0x0000000000400000-0x000000000050D000-memory.dmp
memory/3928-124-0x0000000000890000-0x00000000008E2000-memory.dmp
memory/5088-125-0x00000000006F0000-0x000000000077E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1194130065-3471212556-1656947724-1000\76b53b3ec448f7ccdda2063b15d2bfc3_a53bb4ca-6113-48bb-9609-441860fdd0d7
| MD5 | 4dfdd332e047a0904493177095ab4b48 |
| SHA1 | ad354277fbc9e9cdc0683c520bc2ade9040dfbd1 |
| SHA256 | b82f61d543d4f2b1304c8712de25ccd7dc91125ab6530c619e0fc4ecca2d5958 |
| SHA512 | a2870e3b5db0660d43ad24937b4a9d153cb248c2fc765884a5b40ce37a93e4dc007fede2d81ae73f8ad224dc6e061724173ffb86845e799e7d2e0d184fd816a3 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 214c86c5bb09ce53497596fee3bfafbc |
| SHA1 | b6bf6ff1623e2007119c687f5e14a40bb29ddddf |
| SHA256 | 9347e4b3cdada8ec28158151e363da7721579f67503d93965b84224f43b6ada3 |
| SHA512 | eb4912e6ac6e492538c73a084ac657e7331ce6bb0da60a05dfeba31e62deed6a470adbf7ccb4d6575bd1c00946e846bbd253d892d38172e0ef4bcff299d7b08e |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 51009d72444cb05fbcb8ef922ff5f972 |
| SHA1 | 267a957d2793962a195a7c35881d82edf3c3888f |
| SHA256 | 631bbcd7284379288485627b96e167c094eea72403a07658de060e3c12e8f5a4 |
| SHA512 | 0c9073e5edb16329cad7ede2211f0f86f672889319acb2bf18e3e07ed409fe87a6ab6a8b62503589e303e1259a1bd9c2262d69730d2f1d60b051ea6c83e78a59 |
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
| MD5 | f5d7b79ee6b6da6b50e536030bcc3b59 |
| SHA1 | 751b555a8eede96d55395290f60adc43b28ba5e2 |
| SHA256 | 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459 |
| SHA512 | 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46 |
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 7a02aa17200aeac25a375f290a4b4c95 |
| SHA1 | 7cc94ca64268a9a9451fb6b682be42374afc22fd |
| SHA256 | 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e |
| SHA512 | f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6 |
memory/1520-188-0x0000000000B90000-0x000000000103B000-memory.dmp
memory/1764-189-0x0000000000360000-0x00000000005A3000-memory.dmp
memory/1520-190-0x0000000000B90000-0x000000000103B000-memory.dmp
memory/1520-193-0x0000000000B90000-0x000000000103B000-memory.dmp
memory/1524-194-0x0000000007360000-0x00000000073C6000-memory.dmp
memory/1520-197-0x0000000000B90000-0x000000000103B000-memory.dmp
memory/5088-201-0x0000000009D40000-0x0000000009F02000-memory.dmp
memory/5088-202-0x000000000A440000-0x000000000A96C000-memory.dmp
memory/1520-200-0x0000000000B90000-0x000000000103B000-memory.dmp
memory/3928-203-0x0000000007690000-0x00000000076E0000-memory.dmp
memory/1520-205-0x0000000000B90000-0x000000000103B000-memory.dmp
memory/2296-210-0x0000000000B90000-0x000000000103B000-memory.dmp
memory/1764-211-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2296-227-0x0000000000B90000-0x000000000103B000-memory.dmp
memory/1520-245-0x0000000000B90000-0x000000000103B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
| MD5 | 5f1dffeff8714e88b493506256db8f8a |
| SHA1 | d554da350b41da8556ce83ed851b975d2325a3d2 |
| SHA256 | e372a2d6ea5d76b0ffbccfa5b6574b910826fb5b5998e8e5cc4dcd49f6dffff0 |
| SHA512 | 4bf57a4af1514111e301f8a1c8f3e2c145d078ba45a94edb71af6b1f9ca6dcfb3bd35d5114936f5c97ab4b1561b7b5afd4bfcc6d37b2f39b3aca0c96e0b28960 |
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
| MD5 | 45b55d1e5d2bf60cc572f541ae6fa7d1 |
| SHA1 | 2329f56147a299bcdbf20520e626cc8253e49a8d |
| SHA256 | 039f5c692ba1c67c6e9b475738f40f4311e5e5625e4390d5e51685f6b4e548b8 |
| SHA512 | 5483964e050b2be073d3cf966b6dd6271556d4adfb420fb9ecf81f42f27cd06727016292dceb9a282f9fdcb451507309d1a78f58dd5d84e3022c0ea20c58dbe2 |
memory/1520-288-0x0000000000B90000-0x000000000103B000-memory.dmp
memory/856-289-0x0000000000400000-0x0000000001066000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
| MD5 | 7e6a519688246fe1180f35fe0d25d370 |
| SHA1 | 8e8719ac897dfef7305311dc216f570af40709af |
| SHA256 | 32a927e9b33371b82bae9f02b5ebf07c19ae5a3a7e3c0cd3fcbee7cfff7f257a |
| SHA512 | a751e911eb254749a3c8c98740f455a5be32ce1af94dc90eba8fc677d6d7379303f80247748dfcfe9c8570edb3488a5af97fa7ff29c815bec6824dd491e27972 |
memory/4312-311-0x0000000000400000-0x0000000001069000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
| MD5 | 03cf06e01384018ac325de8bc160b4b2 |
| SHA1 | 1853505e502b392fd556a9ce6050207230cc70cd |
| SHA256 | 5ab3785b2b72eaf7edff8961eb8ff8dd3dc6cc7031bc96ceb06a899b6fb3bbbc |
| SHA512 | be1f2cf898db93e96e8817bf2d0ab0ef0f49d5bba4efba2de4046f6b381e8eda6ff5fcfdc057b6cbc4de5b3a7b096612c1e0d6b0d395ee685b3844ba5dc0e1b6 |
memory/3344-333-0x00000000003B0000-0x0000000000440000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/1520-347-0x0000000000B90000-0x000000000103B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
| MD5 | b826dd92d78ea2526e465a34324ebeea |
| SHA1 | bf8a0093acfd2eb93c102e1a5745fb080575372e |
| SHA256 | 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b |
| SHA512 | 1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17 |
memory/1600-358-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1600-360-0x0000000000400000-0x0000000000643000-memory.dmp
memory/4636-359-0x0000000000400000-0x000000000079D000-memory.dmp
memory/1600-355-0x0000000000400000-0x0000000000643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
| MD5 | 30daa686c1f31cc4833bd3d7283d8cdc |
| SHA1 | 70f74571fafe1b359cfe9ce739c3752e35d16cf5 |
| SHA256 | 504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822 |
| SHA512 | 9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9 |
memory/2848-379-0x0000000000A20000-0x0000000000A72000-memory.dmp
memory/2848-400-0x0000000006C60000-0x0000000006CAC000-memory.dmp
memory/856-401-0x0000000000400000-0x0000000001066000-memory.dmp
memory/1764-402-0x0000000000360000-0x00000000005A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\service123.exe
| MD5 | 4d4cab141394c0c233a167911d956123 |
| SHA1 | 3de65d4b6a9b3f254b032750a9f484e1dff92454 |
| SHA256 | 8a739c03d8fa5f84f4b4ed636da73b6491d806d87cafe23baff3a62143eb5628 |
| SHA512 | e0c50fe2ca6c5db61d13dc396963b2279fb66bb4e89c57dd3d7728363f2845b4cba362a39e5bd101b602170edfcd13e3082d0cdfba34287a07959cb02e8ffd7a |
memory/1600-406-0x0000000000400000-0x0000000000643000-memory.dmp
memory/4312-409-0x0000000000400000-0x0000000001069000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe
| MD5 | 3f99c2698fc247d19dd7f42223025252 |
| SHA1 | 043644883191079350b2f2ffbefef5431d768f99 |
| SHA256 | ba8561bf19251875a15471812042adac49f825c69c3087054889f6107297c6f3 |
| SHA512 | 6a88d1049059bba8f0c9498762502e055107d9f82dbc0aacfdd1e1c138bdb875cf68c2b7998408f8235e53b2bb864ba6f43c249395640b62af305a62b9bfcd67 |
memory/4292-428-0x000001BC981A0000-0x000001BC9833A000-memory.dmp
memory/4292-429-0x000001BCB2AB0000-0x000001BCB2BDA000-memory.dmp
memory/4292-457-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-453-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-451-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-449-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-447-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-445-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-443-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-439-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-437-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-435-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-433-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-455-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-441-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-431-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-430-0x000001BCB2AB0000-0x000001BCB2BD4000-memory.dmp
memory/4292-1506-0x000001BCB2D00000-0x000001BCB2D4C000-memory.dmp
memory/4292-1505-0x000001BC9A0D0000-0x000001BC9A174000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe
| MD5 | 36a627b26fae167e6009b4950ff15805 |
| SHA1 | f3cb255ab3a524ee05c8bab7b4c01c202906b801 |
| SHA256 | a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a |
| SHA512 | 2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094 |
memory/2296-1551-0x0000000000B90000-0x000000000103B000-memory.dmp
memory/2296-1553-0x0000000000B90000-0x000000000103B000-memory.dmp
memory/2100-1584-0x0000000000B90000-0x000000000103B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-07 23:47
Reported
2024-09-07 23:50
Platform
win11-20240802-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Amadey
CryptBot
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2392 set thread context of 3828 | N/A | C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3556 set thread context of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4668 set thread context of 2468 | N/A | C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe | C:\Users\Admin\AppData\Local\Temp\svchost015.exe |
| PID 1668 set thread context of 4864 | N/A | C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost015.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\IM5tfU1iKJ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\DzfAFCwE3Y.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe
"C:\Users\Admin\AppData\Local\Temp\2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\DzfAFCwE3Y.exe
"C:\Users\Admin\AppData\Roaming\DzfAFCwE3Y.exe"
C:\Users\Admin\AppData\Roaming\IM5tfU1iKJ.exe
"C:\Users\Admin\AppData\Roaming\IM5tfU1iKJ.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
"C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe"
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
"C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe"
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe
"C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe
"C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.117:80 | 185.215.113.117 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.113.215.185.in-addr.arpa | udp |
| DE | 95.179.250.45:26212 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| FI | 65.21.18.51:45580 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 154.216.17.216:80 | 154.216.17.216 | tcp |
| RU | 80.66.75.114:80 | 80.66.75.114 | tcp |
| RU | 194.87.248.136:80 | sevtv17sb.top | tcp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| TM | 91.202.233.158:80 | 91.202.233.158 | tcp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| RU | 185.215.113.67:15206 | tcp | |
| FI | 95.216.143.20:12695 | tcp | |
| US | 8.8.8.8:53 | 20.143.216.95.in-addr.arpa | udp |
| US | 103.130.147.211:80 | 103.130.147.211 | tcp |
| US | 172.67.187.171:443 | millyscroqwp.shop | tcp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 8.8.8.8:53 | 171.187.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 104.21.10.172:443 | condedqpwqm.shop | tcp |
| FR | 176.150.119.15:56002 | tcp | |
| FR | 176.150.119.15:56003 | tcp | |
| FR | 176.150.119.15:56001 | tcp |
Files
memory/1700-0-0x0000000000C10000-0x00000000010BB000-memory.dmp
memory/1700-1-0x0000000077E06000-0x0000000077E08000-memory.dmp
memory/1700-2-0x0000000000C11000-0x0000000000C3F000-memory.dmp
memory/1700-3-0x0000000000C10000-0x00000000010BB000-memory.dmp
memory/1700-4-0x0000000000C10000-0x00000000010BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | 0ff649344e3597b4503b3eae73162770 |
| SHA1 | 40eb73be0b58c73d423b618fd15b824c56eeeec1 |
| SHA256 | 2971e3b4c072b31004c2caa9d059ae92ee40a14253cb958bcf393080d2aaa723 |
| SHA512 | aac2ef05f94f2a28fdf89b905af728e4ae672159ebcf8e6dfcd92e4bef93b6d44e8966b99f3bc311ad886131df0aa7ceadde52327675447770586ec6895991f3 |
memory/568-18-0x0000000000B20000-0x0000000000FCB000-memory.dmp
memory/1700-17-0x0000000000C10000-0x00000000010BB000-memory.dmp
memory/568-19-0x0000000000B20000-0x0000000000FCB000-memory.dmp
memory/568-20-0x0000000000B20000-0x0000000000FCB000-memory.dmp
memory/568-21-0x0000000000B20000-0x0000000000FCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
| MD5 | 2d647cf43622ed10b6d733bb5f048fc3 |
| SHA1 | 6b9c5f77a9ef064a23e5018178f982570cbc64c6 |
| SHA256 | 41426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6 |
| SHA512 | 62400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a |
memory/2392-42-0x00000000737CE000-0x00000000737CF000-memory.dmp
memory/2392-43-0x0000000000A10000-0x0000000000A64000-memory.dmp
memory/3828-45-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3828-47-0x0000000005B80000-0x0000000006126000-memory.dmp
memory/3828-48-0x00000000056B0000-0x0000000005742000-memory.dmp
memory/3828-49-0x0000000005760000-0x000000000576A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpDAFE.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/3828-64-0x0000000006330000-0x00000000063A6000-memory.dmp
memory/3828-65-0x0000000006990000-0x00000000069AE000-memory.dmp
memory/3828-69-0x0000000008AE0000-0x0000000008BEA000-memory.dmp
memory/3828-71-0x00000000072B0000-0x00000000072EC000-memory.dmp
memory/3828-72-0x0000000008BF0000-0x0000000008C3C000-memory.dmp
memory/3828-70-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3828-68-0x0000000007320000-0x0000000007938000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
| MD5 | 8e74497aff3b9d2ddb7e7f819dfc69ba |
| SHA1 | 1d18154c206083ead2d30995ce2847cbeb6cdbc1 |
| SHA256 | d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66 |
| SHA512 | 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97 |
memory/3556-91-0x0000000000D40000-0x0000000000E52000-memory.dmp
memory/2856-95-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2856-98-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2856-97-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2856-93-0x0000000000400000-0x000000000050D000-memory.dmp
memory/568-99-0x0000000000B20000-0x0000000000FCB000-memory.dmp
C:\Users\Admin\AppData\Roaming\DzfAFCwE3Y.exe
| MD5 | 88367533c12315805c059e688e7cdfe9 |
| SHA1 | 64a107adcbac381c10bd9c5271c2087b7aa369ec |
| SHA256 | c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9 |
| SHA512 | 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714 |
C:\Users\Admin\AppData\Roaming\IM5tfU1iKJ.exe
| MD5 | 30f46f4476cdc27691c7fdad1c255037 |
| SHA1 | b53415af5d01f8500881c06867a49a5825172e36 |
| SHA256 | 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0 |
| SHA512 | 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f |
memory/4124-122-0x00000000008C0000-0x0000000000912000-memory.dmp
memory/5096-124-0x0000000000980000-0x0000000000A0E000-memory.dmp
memory/2856-119-0x0000000000400000-0x000000000050D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3761892313-3378554128-2287991803-1000\76b53b3ec448f7ccdda2063b15d2bfc3_1a4dc33f-c784-4d28-8db2-389663d94aeb
| MD5 | bccdbb94429735ac6e8e457219891cc0 |
| SHA1 | 8be671d1bfa2c4d6e032acb2cd4e19ff25cf7b94 |
| SHA256 | c6d8db0dc25e569442b71286d2a6b6c97f19f2b281ec3c72c6cc8d7554f67ccb |
| SHA512 | ba46867422bbb041a2a54c8006f12f6652a4de648326619a64dd5235cd42fb77991d3f3f61d0f6cc047715b69d89dc98b109f2b53bd5ca048b633da656052ffc |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | c76fbef985ab379c9e911d2f9b48041d |
| SHA1 | 1a34bf7262aa31adfa1728f21159a545c8ae331b |
| SHA256 | 036f1cf1929d43398566c74ff519b4b378201f9d1b455f33a00f761ed9e1da11 |
| SHA512 | 7eebb9b34186e448df4b98e70a8bba70e16927d616379e06c5dd622f6fcc234492c6d14971e34bc19bd3225ba71e5dd480c004b4cdee173fb8c956112db05deb |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 6a4472d4c7abec00310b234ea0c28547 |
| SHA1 | 4171fb4c397752ec698de83792768845ccd2d529 |
| SHA256 | 4dc3c62597461ffcf8ba29dc8ec65361b4ceb86a004ba03a5cabab724d117c5c |
| SHA512 | 4341c8ef29c8d1a030b0778463bf5426df381dd9a5c61d8ccf2071891e13b29333b6b2004755e57297ac47db084560dab17a950f2989ebb0d42a7205f26a4d60 |
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
| MD5 | f5d7b79ee6b6da6b50e536030bcc3b59 |
| SHA1 | 751b555a8eede96d55395290f60adc43b28ba5e2 |
| SHA256 | 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459 |
| SHA512 | 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46 |
memory/568-170-0x0000000000B20000-0x0000000000FCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 7a02aa17200aeac25a375f290a4b4c95 |
| SHA1 | 7cc94ca64268a9a9451fb6b682be42374afc22fd |
| SHA256 | 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e |
| SHA512 | f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6 |
memory/568-186-0x0000000000B20000-0x0000000000FCB000-memory.dmp
memory/2984-187-0x00000000005D0000-0x0000000000813000-memory.dmp
memory/568-188-0x0000000000B20000-0x0000000000FCB000-memory.dmp
memory/3828-189-0x0000000006D80000-0x0000000006DE6000-memory.dmp
memory/568-194-0x0000000000B20000-0x0000000000FCB000-memory.dmp
memory/5096-195-0x000000000A120000-0x000000000A2E2000-memory.dmp
memory/5096-196-0x000000000A820000-0x000000000AD4C000-memory.dmp
memory/3828-199-0x0000000009590000-0x00000000095E0000-memory.dmp
memory/568-202-0x0000000000B20000-0x0000000000FCB000-memory.dmp
memory/2588-205-0x0000000000B20000-0x0000000000FCB000-memory.dmp
memory/2588-208-0x0000000000B20000-0x0000000000FCB000-memory.dmp
memory/2984-209-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/568-242-0x0000000000B20000-0x0000000000FCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
| MD5 | 5f1dffeff8714e88b493506256db8f8a |
| SHA1 | d554da350b41da8556ce83ed851b975d2325a3d2 |
| SHA256 | e372a2d6ea5d76b0ffbccfa5b6574b910826fb5b5998e8e5cc4dcd49f6dffff0 |
| SHA512 | 4bf57a4af1514111e301f8a1c8f3e2c145d078ba45a94edb71af6b1f9ca6dcfb3bd35d5114936f5c97ab4b1561b7b5afd4bfcc6d37b2f39b3aca0c96e0b28960 |
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
| MD5 | 45b55d1e5d2bf60cc572f541ae6fa7d1 |
| SHA1 | 2329f56147a299bcdbf20520e626cc8253e49a8d |
| SHA256 | 039f5c692ba1c67c6e9b475738f40f4311e5e5625e4390d5e51685f6b4e548b8 |
| SHA512 | 5483964e050b2be073d3cf966b6dd6271556d4adfb420fb9ecf81f42f27cd06727016292dceb9a282f9fdcb451507309d1a78f58dd5d84e3022c0ea20c58dbe2 |
memory/568-285-0x0000000000B20000-0x0000000000FCB000-memory.dmp
memory/4812-286-0x0000000000400000-0x0000000001066000-memory.dmp
memory/4432-287-0x0000000000400000-0x0000000001069000-memory.dmp
memory/568-294-0x0000000000B20000-0x0000000000FCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
| MD5 | 7e6a519688246fe1180f35fe0d25d370 |
| SHA1 | 8e8719ac897dfef7305311dc216f570af40709af |
| SHA256 | 32a927e9b33371b82bae9f02b5ebf07c19ae5a3a7e3c0cd3fcbee7cfff7f257a |
| SHA512 | a751e911eb254749a3c8c98740f455a5be32ce1af94dc90eba8fc677d6d7379303f80247748dfcfe9c8570edb3488a5af97fa7ff29c815bec6824dd491e27972 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/4812-331-0x0000000000400000-0x0000000001066000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
| MD5 | 03cf06e01384018ac325de8bc160b4b2 |
| SHA1 | 1853505e502b392fd556a9ce6050207230cc70cd |
| SHA256 | 5ab3785b2b72eaf7edff8961eb8ff8dd3dc6cc7031bc96ceb06a899b6fb3bbbc |
| SHA512 | be1f2cf898db93e96e8817bf2d0ab0ef0f49d5bba4efba2de4046f6b381e8eda6ff5fcfdc057b6cbc4de5b3a7b096612c1e0d6b0d395ee685b3844ba5dc0e1b6 |
memory/2984-350-0x00000000005D0000-0x0000000000813000-memory.dmp
memory/1980-351-0x0000000000710000-0x00000000007A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
| MD5 | b826dd92d78ea2526e465a34324ebeea |
| SHA1 | bf8a0093acfd2eb93c102e1a5745fb080575372e |
| SHA256 | 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b |
| SHA512 | 1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17 |
memory/4668-356-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2468-354-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2468-358-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2468-361-0x0000000000400000-0x0000000000643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
| MD5 | 30daa686c1f31cc4833bd3d7283d8cdc |
| SHA1 | 70f74571fafe1b359cfe9ce739c3752e35d16cf5 |
| SHA256 | 504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822 |
| SHA512 | 9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9 |
memory/4656-380-0x00000000000B0000-0x0000000000102000-memory.dmp
memory/4656-399-0x0000000006280000-0x00000000062CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\service123.exe
| MD5 | 4d4cab141394c0c233a167911d956123 |
| SHA1 | 3de65d4b6a9b3f254b032750a9f484e1dff92454 |
| SHA256 | 8a739c03d8fa5f84f4b4ed636da73b6491d806d87cafe23baff3a62143eb5628 |
| SHA512 | e0c50fe2ca6c5db61d13dc396963b2279fb66bb4e89c57dd3d7728363f2845b4cba362a39e5bd101b602170edfcd13e3082d0cdfba34287a07959cb02e8ffd7a |
memory/568-401-0x0000000000B20000-0x0000000000FCB000-memory.dmp
memory/4432-402-0x0000000000400000-0x0000000001069000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe
| MD5 | 3f99c2698fc247d19dd7f42223025252 |
| SHA1 | 043644883191079350b2f2ffbefef5431d768f99 |
| SHA256 | ba8561bf19251875a15471812042adac49f825c69c3087054889f6107297c6f3 |
| SHA512 | 6a88d1049059bba8f0c9498762502e055107d9f82dbc0aacfdd1e1c138bdb875cf68c2b7998408f8235e53b2bb864ba6f43c249395640b62af305a62b9bfcd67 |
memory/1208-425-0x000001B27BBD0000-0x000001B27BD6A000-memory.dmp
memory/1208-426-0x000001B27E4C0000-0x000001B27E5EA000-memory.dmp
memory/1208-437-0x000001B27E4C0000-0x000001B27E5E4000-memory.dmp
memory/1208-438-0x000001B27E4C0000-0x000001B27E5E4000-memory.dmp
memory/1208-445-0x000001B27E4C0000-0x000001B27E5E4000-memory.dmp
memory/1208-452-0x000001B27E4C0000-0x000001B27E5E4000-memory.dmp
memory/1208-450-0x000001B27E4C0000-0x000001B27E5E4000-memory.dmp
memory/1208-449-0x000001B27E4C0000-0x000001B27E5E4000-memory.dmp
memory/1208-446-0x000001B27E4C0000-0x000001B27E5E4000-memory.dmp
memory/1208-442-0x000001B27E4C0000-0x000001B27E5E4000-memory.dmp
memory/1208-440-0x000001B27E4C0000-0x000001B27E5E4000-memory.dmp
memory/1208-434-0x000001B27E4C0000-0x000001B27E5E4000-memory.dmp
memory/1208-432-0x000001B27E4C0000-0x000001B27E5E4000-memory.dmp
memory/1208-430-0x000001B27E4C0000-0x000001B27E5E4000-memory.dmp
memory/1208-427-0x000001B27E4C0000-0x000001B27E5E4000-memory.dmp
memory/1208-428-0x000001B27E4C0000-0x000001B27E5E4000-memory.dmp
memory/1208-1504-0x000001B27E5F0000-0x000001B27E63C000-memory.dmp
memory/1208-1503-0x000001B27E760000-0x000001B27E804000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe
| MD5 | 36a627b26fae167e6009b4950ff15805 |
| SHA1 | f3cb255ab3a524ee05c8bab7b4c01c202906b801 |
| SHA256 | a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a |
| SHA512 | 2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094 |
memory/4140-1548-0x0000000000B20000-0x0000000000FCB000-memory.dmp
memory/1208-1552-0x000001B27E800000-0x000001B27E854000-memory.dmp
memory/1208-1553-0x000001B27E850000-0x000001B27E8AC000-memory.dmp
memory/1208-1554-0x000001B27E8B0000-0x000001B27E96A000-memory.dmp
memory/2852-1578-0x0000000000B20000-0x0000000000FCB000-memory.dmp