Analysis Overview
SHA256
2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994
Threat Level: Known bad
The file 2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994 was found to be: Known bad.
Malicious Activity Summary
RedLine
CryptBot
Stealc
Lumma Stealer, LummaC
RedLine payload
Amadey
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Identifies Wine through registry keys
Checks BIOS information in registry
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Reads data files stored by FTP clients
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-07 14:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-07 14:32
Reported
2024-09-07 14:35
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Amadey
CryptBot
Lumma Stealer, LummaC
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Subsystem Framework = "\"C:\\ProgramData\\Microsoft Subsystem Framework\\winmsbt.exe\"" | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Amadeus.exe = "C:\\Users\\Admin\\1000238002\\Amadeus.exe" | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\oM3u51EWFk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\1000238002\Amadeus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Ug1kSLlSLv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\sqqujzWPVs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost015.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\puSeW1tEUg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe
"C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\oM3u51EWFk.exe
"C:\Users\Admin\AppData\Roaming\oM3u51EWFk.exe"
C:\Users\Admin\AppData\Roaming\Ug1kSLlSLv.exe
"C:\Users\Admin\AppData\Roaming\Ug1kSLlSLv.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe
"C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
"C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\1000238002\Amadeus.exe
"C:\Users\Admin\1000238002\Amadeus.exe"
C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe
"C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe"
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe
"C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe
"C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe"
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe
"C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe
"C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe
"C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe"
C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\sqqujzWPVs.exe
"C:\Users\Admin\AppData\Roaming\sqqujzWPVs.exe"
C:\Users\Admin\AppData\Roaming\puSeW1tEUg.exe
"C:\Users\Admin\AppData\Roaming\puSeW1tEUg.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.117:80 | 185.215.113.117 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.113.215.185.in-addr.arpa | udp |
| DE | 95.179.250.45:26212 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| US | 8.8.8.8:53 | 45.250.179.95.in-addr.arpa | udp |
| FI | 65.21.18.51:45580 | tcp | |
| US | 8.8.8.8:53 | 26.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| US | 8.8.8.8:53 | 51.18.21.65.in-addr.arpa | udp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| US | 8.8.8.8:53 | stagingbyvdveen.com | udp |
| EE | 147.45.60.44:80 | stagingbyvdveen.com | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | 17.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.60.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.107.216.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 154.216.17.216:80 | 154.216.17.216 | tcp |
| US | 8.8.8.8:53 | 216.17.216.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sevtv17sb.top | udp |
| RU | 194.87.248.136:80 | sevtv17sb.top | tcp |
| US | 8.8.8.8:53 | 136.248.87.194.in-addr.arpa | udp |
| RU | 185.215.113.117:80 | 185.215.113.117 | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivev5sb.top | udp |
| RU | 195.133.48.136:80 | fivev5sb.top | tcp |
| US | 8.8.8.8:53 | 136.48.133.195.in-addr.arpa | udp |
| TM | 91.202.233.158:80 | 91.202.233.158 | tcp |
| US | 8.8.8.8:53 | 158.233.202.91.in-addr.arpa | udp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| US | 8.8.8.8:53 | 19.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.67:15206 | tcp | |
| FI | 95.216.143.20:12695 | tcp | |
| US | 8.8.8.8:53 | 20.143.216.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | millyscroqwp.shop | udp |
| US | 104.21.84.66:443 | millyscroqwp.shop | tcp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 8.8.8.8:53 | condedqpwqm.shop | udp |
| US | 172.67.146.35:443 | condedqpwqm.shop | tcp |
| US | 8.8.8.8:53 | 66.84.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.146.67.172.in-addr.arpa | udp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| FI | 65.21.18.51:45580 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 104.21.84.66:443 | millyscroqwp.shop | tcp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 172.67.146.35:443 | condedqpwqm.shop | tcp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
Files
memory/3936-0-0x00000000001B0000-0x000000000067B000-memory.dmp
memory/3936-1-0x0000000077174000-0x0000000077176000-memory.dmp
memory/3936-2-0x00000000001B1000-0x00000000001DF000-memory.dmp
memory/3936-3-0x00000000001B0000-0x000000000067B000-memory.dmp
memory/3936-4-0x00000000001B0000-0x000000000067B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | 5e4edc208cd5752116d0a72d01f3772c |
| SHA1 | 93daf7d114a877f533dfb7de0da10b1e5a4ce6c2 |
| SHA256 | 2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994 |
| SHA512 | 017124ab462b34a9a7104919baa8cdf7773635066cf99890a45431ac287779ede642653390f57b04341f82744e26cf6257a9c35db79c9cf0185bc687d6234439 |
memory/3936-17-0x00000000001B0000-0x000000000067B000-memory.dmp
memory/5024-18-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/5024-19-0x00000000008D1000-0x00000000008FF000-memory.dmp
memory/5024-20-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/5024-21-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/5024-22-0x00000000008D0000-0x0000000000D9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
| MD5 | 2d647cf43622ed10b6d733bb5f048fc3 |
| SHA1 | 6b9c5f77a9ef064a23e5018178f982570cbc64c6 |
| SHA256 | 41426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6 |
| SHA512 | 62400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a |
memory/2368-43-0x0000000072D8E000-0x0000000072D8F000-memory.dmp
memory/2368-44-0x0000000000C10000-0x0000000000C64000-memory.dmp
memory/4788-46-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4788-48-0x0000000005740000-0x0000000005CE4000-memory.dmp
memory/4788-49-0x0000000005230000-0x00000000052C2000-memory.dmp
memory/4788-50-0x0000000005220000-0x000000000522A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp855C.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/4788-67-0x00000000060F0000-0x0000000006166000-memory.dmp
memory/4788-68-0x0000000006750000-0x000000000676E000-memory.dmp
memory/4788-71-0x00000000070E0000-0x00000000076F8000-memory.dmp
memory/4788-72-0x0000000006D10000-0x0000000006E1A000-memory.dmp
memory/4788-73-0x0000000006C50000-0x0000000006C62000-memory.dmp
memory/4788-74-0x0000000006CB0000-0x0000000006CEC000-memory.dmp
memory/4788-75-0x0000000006E20000-0x0000000006E6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
| MD5 | 8e74497aff3b9d2ddb7e7f819dfc69ba |
| SHA1 | 1d18154c206083ead2d30995ce2847cbeb6cdbc1 |
| SHA256 | d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66 |
| SHA512 | 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97 |
memory/2160-94-0x0000000000B00000-0x0000000000C12000-memory.dmp
memory/4900-96-0x0000000000400000-0x000000000050D000-memory.dmp
memory/4900-101-0x0000000000400000-0x000000000050D000-memory.dmp
memory/4900-100-0x0000000000400000-0x000000000050D000-memory.dmp
memory/4900-98-0x0000000000400000-0x000000000050D000-memory.dmp
C:\Users\Admin\AppData\Roaming\oM3u51EWFk.exe
| MD5 | 88367533c12315805c059e688e7cdfe9 |
| SHA1 | 64a107adcbac381c10bd9c5271c2087b7aa369ec |
| SHA256 | c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9 |
| SHA512 | 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714 |
C:\Users\Admin\AppData\Roaming\Ug1kSLlSLv.exe
| MD5 | 30f46f4476cdc27691c7fdad1c255037 |
| SHA1 | b53415af5d01f8500881c06867a49a5825172e36 |
| SHA256 | 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0 |
| SHA512 | 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f |
memory/4900-121-0x0000000000400000-0x000000000050D000-memory.dmp
memory/3100-125-0x0000000000AC0000-0x0000000000B12000-memory.dmp
memory/1412-126-0x0000000000B80000-0x0000000000C0E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302416131-1437503476-2806442725-1000\76b53b3ec448f7ccdda2063b15d2bfc3_acd03e19-89e2-40d7-b0f4-25b8a05635ee
| MD5 | 53c411c197f8e4a6050f500443afb683 |
| SHA1 | 827530c52604b5c3e5dba03990eee93f4870744d |
| SHA256 | bd38803b9bf06f74759a2a236abe9f7ebf86df9c0bfb9681fae48cc0faf52c57 |
| SHA512 | 22265ad2c3fe50da4990dffb7eb316dc2841ac6d17486353c57301f1f4f663af81da579142a71dd9d6e5d4f0d6beaee5319186aec41b3f0a197a77cdeb7319ce |
memory/5024-144-0x00000000008D0000-0x0000000000D9B000-memory.dmp
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 34d22ac1786b0312a985379542ce15d0 |
| SHA1 | bfaa0d95f071ae8ae8b9f9e4619de406b9625f62 |
| SHA256 | 4bbb981784c9099b17d876f4379df91b1147b004753adcd3e186769e8ed9595f |
| SHA512 | 4dc333ba85750529f3d7f862a5781eb658dd53a57806a0557d2e2991e3bb28766d4c54d418015403cd76d3b62fd0099216998cb4550c307342174f6de8d5c8de |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 433b80c1e71ce547923af4abf81d67da |
| SHA1 | 4949f8a32ff682f34b713acf58ef3a2aeabdaa4d |
| SHA256 | 616b1abe263f001ba7bf38ab4551954a582a11447ae3202bb34cd54fefcf8a41 |
| SHA512 | c168527abe1123511fb862526b00df4a0a13fb580b3ad10fff77c56695e7b2ad1d24262b56ff9f9481901ba5915658d111e926e916214fdd8ebf1b6a65aeccc1 |
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
| MD5 | f5d7b79ee6b6da6b50e536030bcc3b59 |
| SHA1 | 751b555a8eede96d55395290f60adc43b28ba5e2 |
| SHA256 | 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459 |
| SHA512 | 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46 |
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 7a02aa17200aeac25a375f290a4b4c95 |
| SHA1 | 7cc94ca64268a9a9451fb6b682be42374afc22fd |
| SHA256 | 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e |
| SHA512 | f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6 |
memory/5024-190-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/4632-191-0x0000000000D60000-0x0000000000FA3000-memory.dmp
memory/5024-194-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/1412-195-0x0000000008DB0000-0x0000000008E16000-memory.dmp
memory/4788-199-0x0000000009430000-0x00000000095F2000-memory.dmp
memory/5024-198-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/1412-200-0x000000000A9E0000-0x000000000AF0C000-memory.dmp
memory/4788-203-0x00000000093E0000-0x0000000009430000-memory.dmp
memory/3500-207-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/3500-209-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/5024-210-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/4632-212-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/5024-245-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/5024-249-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/5024-250-0x00000000008D0000-0x0000000000D9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe
| MD5 | f7f25eb4fb89302ddfc596ad4dfb2907 |
| SHA1 | 0a6f2cffb64eef1b4f698427bd3144fb2c679f63 |
| SHA256 | c56917c40623e6f97fb1168b7586d3434b3ba23e0ddaa40ebe455ff7ab7db2ff |
| SHA512 | 27fdbf978393f1d41c13f36e9ce5dff79b332d9039207d21e1b6fedd7a13f42dc30cd5f06096d8cd29fb7cd97243fbb6da77abe5842cbf018ecbe0a18a23f951 |
memory/5024-269-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/4900-270-0x0000000000400000-0x000000000106F000-memory.dmp
memory/5024-274-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/4900-275-0x0000000000400000-0x000000000106F000-memory.dmp
memory/832-278-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/832-280-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/5024-281-0x00000000008D0000-0x0000000000D9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
| MD5 | 45b55d1e5d2bf60cc572f541ae6fa7d1 |
| SHA1 | 2329f56147a299bcdbf20520e626cc8253e49a8d |
| SHA256 | 039f5c692ba1c67c6e9b475738f40f4311e5e5625e4390d5e51685f6b4e548b8 |
| SHA512 | 5483964e050b2be073d3cf966b6dd6271556d4adfb420fb9ecf81f42f27cd06727016292dceb9a282f9fdcb451507309d1a78f58dd5d84e3022c0ea20c58dbe2 |
memory/4632-299-0x0000000000D60000-0x0000000000FA3000-memory.dmp
memory/4900-309-0x0000000000400000-0x000000000106F000-memory.dmp
memory/5024-311-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/2444-315-0x0000000000400000-0x0000000001069000-memory.dmp
memory/716-316-0x0000000000940000-0x0000000000951000-memory.dmp
memory/716-317-0x00000000734A0000-0x00000000735DC000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/5024-334-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/4632-340-0x0000000000D60000-0x0000000000FA3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
| MD5 | 7e6a519688246fe1180f35fe0d25d370 |
| SHA1 | 8e8719ac897dfef7305311dc216f570af40709af |
| SHA256 | 32a927e9b33371b82bae9f02b5ebf07c19ae5a3a7e3c0cd3fcbee7cfff7f257a |
| SHA512 | a751e911eb254749a3c8c98740f455a5be32ce1af94dc90eba8fc677d6d7379303f80247748dfcfe9c8570edb3488a5af97fa7ff29c815bec6824dd491e27972 |
memory/2444-359-0x0000000000400000-0x0000000001069000-memory.dmp
memory/1912-364-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1912-367-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1912-368-0x0000000000400000-0x0000000000643000-memory.dmp
memory/3384-369-0x0000000000400000-0x000000000079D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
| MD5 | b826dd92d78ea2526e465a34324ebeea |
| SHA1 | bf8a0093acfd2eb93c102e1a5745fb080575372e |
| SHA256 | 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b |
| SHA512 | 1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17 |
memory/1912-370-0x0000000000400000-0x0000000000643000-memory.dmp
memory/5024-372-0x00000000008D0000-0x0000000000D9B000-memory.dmp
C:\Users\Admin\1000238002\Amadeus.exe
| MD5 | 36a627b26fae167e6009b4950ff15805 |
| SHA1 | f3cb255ab3a524ee05c8bab7b4c01c202906b801 |
| SHA256 | a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a |
| SHA512 | 2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094 |
C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe
| MD5 | b73cf29c0ea647c353e4771f0697c41f |
| SHA1 | 3e5339b80dcfbdc80d946fc630c657654ef58de7 |
| SHA256 | edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd |
| SHA512 | 2274d4c1e0ef72dc7e73b977e315ddd5472ec35a52e3449b1f6b87336ee18ff8966fed0451d19d24293fde101e0c231a3caa08b7bd0047a18a41466c2525e2e8 |
memory/2436-411-0x0000000000660000-0x0000000000672000-memory.dmp
memory/5024-412-0x00000000008D0000-0x0000000000D9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
| MD5 | 03cf06e01384018ac325de8bc160b4b2 |
| SHA1 | 1853505e502b392fd556a9ce6050207230cc70cd |
| SHA256 | 5ab3785b2b72eaf7edff8961eb8ff8dd3dc6cc7031bc96ceb06a899b6fb3bbbc |
| SHA512 | be1f2cf898db93e96e8817bf2d0ab0ef0f49d5bba4efba2de4046f6b381e8eda6ff5fcfdc057b6cbc4de5b3a7b096612c1e0d6b0d395ee685b3844ba5dc0e1b6 |
memory/3564-431-0x0000000000D50000-0x0000000000DE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
| MD5 | 30daa686c1f31cc4833bd3d7283d8cdc |
| SHA1 | 70f74571fafe1b359cfe9ce739c3752e35d16cf5 |
| SHA256 | 504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822 |
| SHA512 | 9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9 |
memory/3500-450-0x0000000000880000-0x00000000008D2000-memory.dmp
memory/3500-471-0x0000000006AC0000-0x0000000006B0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe
| MD5 | 3f99c2698fc247d19dd7f42223025252 |
| SHA1 | 043644883191079350b2f2ffbefef5431d768f99 |
| SHA256 | ba8561bf19251875a15471812042adac49f825c69c3087054889f6107297c6f3 |
| SHA512 | 6a88d1049059bba8f0c9498762502e055107d9f82dbc0aacfdd1e1c138bdb875cf68c2b7998408f8235e53b2bb864ba6f43c249395640b62af305a62b9bfcd67 |
memory/3272-490-0x000001380E6E0000-0x000001380E87A000-memory.dmp
memory/3272-491-0x0000013828FB0000-0x00000138290DA000-memory.dmp
memory/3272-493-0x0000013828FB0000-0x00000138290D4000-memory.dmp
memory/3272-503-0x0000013828FB0000-0x00000138290D4000-memory.dmp
memory/3272-501-0x0000013828FB0000-0x00000138290D4000-memory.dmp
memory/3272-499-0x0000013828FB0000-0x00000138290D4000-memory.dmp
memory/3272-497-0x0000013828FB0000-0x00000138290D4000-memory.dmp
memory/3272-495-0x0000013828FB0000-0x00000138290D4000-memory.dmp
memory/3272-492-0x0000013828FB0000-0x00000138290D4000-memory.dmp
memory/3272-1569-0x00000138104D0000-0x0000013810574000-memory.dmp
memory/3272-1570-0x00000138291E0000-0x000001382922C000-memory.dmp
memory/2436-1579-0x000000001B400000-0x000000001B484000-memory.dmp
memory/2436-1580-0x000000001BE70000-0x000000001BEE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe
| MD5 | 771b8e84ba4f0215298d9dadfe5a10bf |
| SHA1 | 0f5e4c440cd2e7b7d97723424ba9c56339036151 |
| SHA256 | 3f074fb6a883663f2937fd9435fc90f8d31ceabe496627d40b3813dbcc472ed0 |
| SHA512 | 2814ef23653c9be5f5e7245af291cf330c355ed12b4db76f71b4de699c67a9ffd1bdc0cc1df5352335b57ab920404b9c8e81cd9257527264bde4f72a53700164 |
memory/636-1609-0x0000000000640000-0x0000000000660000-memory.dmp
memory/636-1610-0x000000001B2F0000-0x000000001B2F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\302416131143
| MD5 | 6bb4a5809a6fde41b823f6c865bc155a |
| SHA1 | 0605918b757d4a6c69d6acfc4fdbf0133900ae43 |
| SHA256 | c750f290ef41581b0807b9170b88d2b7d99572ed55037bfa95e2dbb72c166c37 |
| SHA512 | 6117d8ea205723a2323f304bb32eadde7a50d661d89a8ff46c6305a7d62aeffc200796acacf98a4438b1360ec10c22885ac817b29ff45a4c893a8085e2dec056 |
memory/1144-1647-0x00000000008D0000-0x0000000000D9B000-memory.dmp
memory/1144-1649-0x00000000008D0000-0x0000000000D9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe
| MD5 | fd2defc436fc7960d6501a01c91d893e |
| SHA1 | 5faa092857c3c892eab49e7c0e5ac12d50bce506 |
| SHA256 | ba13da01c41fa50ec5e340061973bc912b1f41cd1f96a7cae5d40afc00ff7945 |
| SHA512 | 9a3e1f2dc5104d8636dc27af4c0f46bdb153fcfada98831b5af95eeb09bb7ef3c7e19927d8f06884a6837e10889380645b6138644f0c08b9cb2e59453041ec42 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-07 14:32
Reported
2024-09-07 14:35
Platform
win11-20240802-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Amadey
CryptBot
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\Amadeus.exe = "C:\\Users\\Admin\\1000238002\\Amadeus.exe" | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Subsystem Framework = "\"C:\\ProgramData\\Microsoft Subsystem Framework\\winmsbt.exe\"" | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2420 set thread context of 4496 | N/A | C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4548 set thread context of 2524 | N/A | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3308 set thread context of 3148 | N/A | C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe | C:\Users\Admin\AppData\Local\Temp\svchost015.exe |
| PID 3984 set thread context of 4724 | N/A | C:\Users\Admin\1000238002\Amadeus.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 2448 set thread context of 4156 | N/A | C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\40IQMb6U7x.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\NPntknzdRh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost015.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\1000238002\Amadeus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe
"C:\Users\Admin\AppData\Local\Temp\2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\NPntknzdRh.exe
"C:\Users\Admin\AppData\Roaming\NPntknzdRh.exe"
C:\Users\Admin\AppData\Roaming\40IQMb6U7x.exe
"C:\Users\Admin\AppData\Roaming\40IQMb6U7x.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe
"C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe"
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
"C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe"
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\1000238002\Amadeus.exe
"C:\Users\Admin\1000238002\Amadeus.exe"
C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe
"C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe"
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe
"C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe
"C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe"
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe
"C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4724 -ip 4724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1200
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.117:80 | 185.215.113.117 | tcp |
| US | 8.8.8.8:53 | 117.113.215.185.in-addr.arpa | udp |
| DE | 95.179.250.45:26212 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| FI | 65.21.18.51:45580 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| EE | 147.45.60.44:80 | stagingbyvdveen.com | tcp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| US | 154.216.17.216:80 | 154.216.17.216 | tcp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| RU | 185.215.113.117:80 | 185.215.113.117 | tcp |
| RU | 194.87.248.136:80 | sevtv17sb.top | tcp |
| RU | 195.133.48.136:80 | fivev5sb.top | tcp |
| US | 8.8.8.8:53 | 136.48.133.195.in-addr.arpa | udp |
| TM | 91.202.233.158:80 | 91.202.233.158 | tcp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| US | 8.8.8.8:53 | 19.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.67:15206 | tcp | |
| FI | 95.216.143.20:12695 | tcp | |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| US | 172.67.187.171:443 | millyscroqwp.shop | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.21.10.172:443 | condedqpwqm.shop | tcp |
| US | 8.8.8.8:53 | 172.10.21.104.in-addr.arpa | udp |
Files
memory/996-0-0x0000000000FF0000-0x00000000014BB000-memory.dmp
memory/996-1-0x0000000077146000-0x0000000077148000-memory.dmp
memory/996-2-0x0000000000FF1000-0x000000000101F000-memory.dmp
memory/996-3-0x0000000000FF0000-0x00000000014BB000-memory.dmp
memory/996-4-0x0000000000FF0000-0x00000000014BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | 5e4edc208cd5752116d0a72d01f3772c |
| SHA1 | 93daf7d114a877f533dfb7de0da10b1e5a4ce6c2 |
| SHA256 | 2d9472535ffffd145026ee89594fccdd3d159122587f8df7650f7c94c77cd994 |
| SHA512 | 017124ab462b34a9a7104919baa8cdf7773635066cf99890a45431ac287779ede642653390f57b04341f82744e26cf6257a9c35db79c9cf0185bc687d6234439 |
memory/996-17-0x0000000000FF0000-0x00000000014BB000-memory.dmp
memory/2232-18-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/2232-20-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/2232-19-0x0000000000821000-0x000000000084F000-memory.dmp
memory/2232-21-0x0000000000820000-0x0000000000CEB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
| MD5 | 2d647cf43622ed10b6d733bb5f048fc3 |
| SHA1 | 6b9c5f77a9ef064a23e5018178f982570cbc64c6 |
| SHA256 | 41426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6 |
| SHA512 | 62400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a |
memory/2420-42-0x0000000072B0E000-0x0000000072B0F000-memory.dmp
memory/2420-43-0x0000000000390000-0x00000000003E4000-memory.dmp
memory/4496-45-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4496-47-0x00000000058B0000-0x0000000005E56000-memory.dmp
memory/4496-48-0x0000000005200000-0x0000000005292000-memory.dmp
memory/4496-49-0x00000000052B0000-0x00000000052BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpD561.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/4496-64-0x0000000005E60000-0x0000000005ED6000-memory.dmp
memory/4496-65-0x0000000006640000-0x000000000665E000-memory.dmp
memory/4496-68-0x0000000006FD0000-0x00000000075E8000-memory.dmp
memory/4496-69-0x0000000008790000-0x000000000889A000-memory.dmp
memory/4496-70-0x0000000006F00000-0x0000000006F12000-memory.dmp
memory/4496-71-0x0000000006F60000-0x0000000006F9C000-memory.dmp
memory/4496-72-0x00000000088A0000-0x00000000088EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
| MD5 | 8e74497aff3b9d2ddb7e7f819dfc69ba |
| SHA1 | 1d18154c206083ead2d30995ce2847cbeb6cdbc1 |
| SHA256 | d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66 |
| SHA512 | 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97 |
memory/4548-91-0x0000000000570000-0x0000000000682000-memory.dmp
memory/2524-93-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2524-95-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2524-98-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2524-97-0x0000000000400000-0x000000000050D000-memory.dmp
C:\Users\Admin\AppData\Roaming\NPntknzdRh.exe
| MD5 | 88367533c12315805c059e688e7cdfe9 |
| SHA1 | 64a107adcbac381c10bd9c5271c2087b7aa369ec |
| SHA256 | c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9 |
| SHA512 | 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714 |
C:\Users\Admin\AppData\Roaming\40IQMb6U7x.exe
| MD5 | 30f46f4476cdc27691c7fdad1c255037 |
| SHA1 | b53415af5d01f8500881c06867a49a5825172e36 |
| SHA256 | 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0 |
| SHA512 | 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f |
memory/4040-121-0x0000000000780000-0x00000000007D2000-memory.dmp
memory/2524-118-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2680-123-0x00000000008D0000-0x000000000095E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-6179872-1886041298-1573312864-1000\76b53b3ec448f7ccdda2063b15d2bfc3_4b97d193-1519-48e1-8d38-f3ecbe02788a
| MD5 | c09a5b78eeacc3198c1173a71817fddd |
| SHA1 | e80600d402a815c8e81fa86e0aecbea72bf79f30 |
| SHA256 | 0fada258f53c69b09b30c28060269667112cf0e348dd33da6570f9220b777045 |
| SHA512 | 137a980e5aee694e4f5721637d9ca0735a475bd163fa7f8f421601a243bcf3812bc6fc9dbc5759012599bd3ad2cb9a4e20c62fbd81f00cdbc13e111935d64cc0 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 8530f3a1b0874990da6937f7fa426205 |
| SHA1 | da86e86dc7a6ff4a4ac21d934791cc3837fd2439 |
| SHA256 | 28bc70f0e96487aff45612117b26685798a441e71f6025f8cea3ee1aa96d0a96 |
| SHA512 | e39155b0f8355fe5ebf29790a66220fad15f69761496552842230b76eddaf8598021be4c8489113f27464dcfce75797e897a4f55547200b41e154d90a3f2c0d1 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 6a627d996c1f18e230d66a64a71434e4 |
| SHA1 | 911a787d4430fd1cace73f27d3833ce6197fe2bd |
| SHA256 | ed54b4083e0e4a3d57497366e21ffa9bd8d33c519f262b829cf9cf0b9e3bebb9 |
| SHA512 | f6c937e9aa69d1859b77f748ef57a9ab77e1651b8a813e5c27d3f735881306fbb32821f0ca169d650db9a1cdb7ca6aae42226b190f96bd0eea1347fe3309b2ac |
memory/2232-143-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/4496-146-0x0000000006A30000-0x0000000006A96000-memory.dmp
memory/2680-149-0x000000000A440000-0x000000000A602000-memory.dmp
memory/2680-150-0x000000000AB40000-0x000000000B06C000-memory.dmp
memory/4496-151-0x0000000009540000-0x0000000009590000-memory.dmp
memory/2232-153-0x0000000000820000-0x0000000000CEB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
| MD5 | f5d7b79ee6b6da6b50e536030bcc3b59 |
| SHA1 | 751b555a8eede96d55395290f60adc43b28ba5e2 |
| SHA256 | 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459 |
| SHA512 | 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46 |
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 7a02aa17200aeac25a375f290a4b4c95 |
| SHA1 | 7cc94ca64268a9a9451fb6b682be42374afc22fd |
| SHA256 | 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e |
| SHA512 | f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6 |
memory/4368-197-0x0000000000FE0000-0x0000000001223000-memory.dmp
memory/1816-199-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/1816-200-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/2232-202-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/2232-203-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/2232-205-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/4368-206-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2232-239-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/2232-240-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/2232-242-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/3452-244-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/3452-246-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/2232-248-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/2232-255-0x0000000000820000-0x0000000000CEB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe
| MD5 | f7f25eb4fb89302ddfc596ad4dfb2907 |
| SHA1 | 0a6f2cffb64eef1b4f698427bd3144fb2c679f63 |
| SHA256 | c56917c40623e6f97fb1168b7586d3434b3ba23e0ddaa40ebe455ff7ab7db2ff |
| SHA512 | 27fdbf978393f1d41c13f36e9ce5dff79b332d9039207d21e1b6fedd7a13f42dc30cd5f06096d8cd29fb7cd97243fbb6da77abe5842cbf018ecbe0a18a23f951 |
memory/4368-271-0x0000000000FE0000-0x0000000001223000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
| MD5 | 45b55d1e5d2bf60cc572f541ae6fa7d1 |
| SHA1 | 2329f56147a299bcdbf20520e626cc8253e49a8d |
| SHA256 | 039f5c692ba1c67c6e9b475738f40f4311e5e5625e4390d5e51685f6b4e548b8 |
| SHA512 | 5483964e050b2be073d3cf966b6dd6271556d4adfb420fb9ecf81f42f27cd06727016292dceb9a282f9fdcb451507309d1a78f58dd5d84e3022c0ea20c58dbe2 |
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
| MD5 | 7e6a519688246fe1180f35fe0d25d370 |
| SHA1 | 8e8719ac897dfef7305311dc216f570af40709af |
| SHA256 | 32a927e9b33371b82bae9f02b5ebf07c19ae5a3a7e3c0cd3fcbee7cfff7f257a |
| SHA512 | a751e911eb254749a3c8c98740f455a5be32ce1af94dc90eba8fc677d6d7379303f80247748dfcfe9c8570edb3488a5af97fa7ff29c815bec6824dd491e27972 |
memory/2232-309-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/1344-310-0x0000000000400000-0x000000000106F000-memory.dmp
memory/3148-313-0x0000000000400000-0x0000000000643000-memory.dmp
memory/3148-316-0x0000000000400000-0x0000000000643000-memory.dmp
memory/3148-317-0x0000000000400000-0x0000000000643000-memory.dmp
memory/3308-318-0x0000000000400000-0x000000000079D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
| MD5 | b826dd92d78ea2526e465a34324ebeea |
| SHA1 | bf8a0093acfd2eb93c102e1a5745fb080575372e |
| SHA256 | 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b |
| SHA512 | 1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17 |
memory/2484-319-0x0000000000400000-0x0000000001069000-memory.dmp
memory/2232-320-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/1344-321-0x0000000000400000-0x000000000106F000-memory.dmp
memory/3148-325-0x0000000000400000-0x0000000000643000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\Users\Admin\AppData\Local\Temp\service123.exe
| MD5 | 736e5c3ccbcb6b277e629a416e012aa8 |
| SHA1 | d2c6c17b623976c3314ebabb7f2704a1262785f3 |
| SHA256 | 94d6549cb8f69e5d938ebe348ea82a2292ec8ee3a5b483e1e1699ab23e123a20 |
| SHA512 | 4e9bd816651b471d9acf47220279bd9740811ea244ea848fb42e990822da0494c892343f9c430c2a91c2d0da6f3113ec8494917548f78e6098a4f9443fde80fe |
memory/2484-349-0x0000000000400000-0x0000000001069000-memory.dmp
memory/4368-350-0x0000000000FE0000-0x0000000001223000-memory.dmp
C:\Users\Admin\1000238002\Amadeus.exe
| MD5 | 36a627b26fae167e6009b4950ff15805 |
| SHA1 | f3cb255ab3a524ee05c8bab7b4c01c202906b801 |
| SHA256 | a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a |
| SHA512 | 2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094 |
memory/2232-367-0x0000000000820000-0x0000000000CEB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe
| MD5 | b73cf29c0ea647c353e4771f0697c41f |
| SHA1 | 3e5339b80dcfbdc80d946fc630c657654ef58de7 |
| SHA256 | edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd |
| SHA512 | 2274d4c1e0ef72dc7e73b977e315ddd5472ec35a52e3449b1f6b87336ee18ff8966fed0451d19d24293fde101e0c231a3caa08b7bd0047a18a41466c2525e2e8 |
memory/2448-388-0x0000000000170000-0x0000000000182000-memory.dmp
memory/3148-390-0x0000000000400000-0x0000000000643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
| MD5 | 03cf06e01384018ac325de8bc160b4b2 |
| SHA1 | 1853505e502b392fd556a9ce6050207230cc70cd |
| SHA256 | 5ab3785b2b72eaf7edff8961eb8ff8dd3dc6cc7031bc96ceb06a899b6fb3bbbc |
| SHA512 | be1f2cf898db93e96e8817bf2d0ab0ef0f49d5bba4efba2de4046f6b381e8eda6ff5fcfdc057b6cbc4de5b3a7b096612c1e0d6b0d395ee685b3844ba5dc0e1b6 |
memory/4292-411-0x00000000002F0000-0x0000000000380000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
| MD5 | 30daa686c1f31cc4833bd3d7283d8cdc |
| SHA1 | 70f74571fafe1b359cfe9ce739c3752e35d16cf5 |
| SHA256 | 504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822 |
| SHA512 | 9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9 |
memory/1624-430-0x0000000000CC0000-0x0000000000D12000-memory.dmp
memory/1624-451-0x0000000006EA0000-0x0000000006EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe
| MD5 | 3f99c2698fc247d19dd7f42223025252 |
| SHA1 | 043644883191079350b2f2ffbefef5431d768f99 |
| SHA256 | ba8561bf19251875a15471812042adac49f825c69c3087054889f6107297c6f3 |
| SHA512 | 6a88d1049059bba8f0c9498762502e055107d9f82dbc0aacfdd1e1c138bdb875cf68c2b7998408f8235e53b2bb864ba6f43c249395640b62af305a62b9bfcd67 |
memory/1472-462-0x0000000000300000-0x0000000000311000-memory.dmp
memory/1344-463-0x0000000000400000-0x000000000106F000-memory.dmp
memory/1516-474-0x0000017DD1700000-0x0000017DD189A000-memory.dmp
memory/1516-475-0x0000017DEC030000-0x0000017DEC15A000-memory.dmp
memory/1516-481-0x0000017DEC030000-0x0000017DEC154000-memory.dmp
memory/1516-491-0x0000017DEC030000-0x0000017DEC154000-memory.dmp
memory/1516-489-0x0000017DEC030000-0x0000017DEC154000-memory.dmp
memory/1516-487-0x0000017DEC030000-0x0000017DEC154000-memory.dmp
memory/1516-485-0x0000017DEC030000-0x0000017DEC154000-memory.dmp
memory/1516-483-0x0000017DEC030000-0x0000017DEC154000-memory.dmp
memory/1516-479-0x0000017DEC030000-0x0000017DEC154000-memory.dmp
memory/1516-477-0x0000017DEC030000-0x0000017DEC154000-memory.dmp
memory/1516-476-0x0000017DEC030000-0x0000017DEC154000-memory.dmp
memory/1516-1551-0x0000017DEC260000-0x0000017DEC304000-memory.dmp
memory/1516-1552-0x0000017DD3670000-0x0000017DD36BC000-memory.dmp
memory/2448-1560-0x000000001AD70000-0x000000001ADF4000-memory.dmp
memory/2448-1561-0x000000001B9D0000-0x000000001BA40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\179872188604
| MD5 | c4a50f464993b6072cac68b056c38b18 |
| SHA1 | 713d762d682b654e85063adc9780e21ba0243c37 |
| SHA256 | b0b1819364a30fe7cd0b3fd5fdf27ff6cf184be51f1f05a5ec2560b097ec1abd |
| SHA512 | e8350ab8e775f8dae174e3545be25e00c2d3d3c0da5d94750642464d7ba7d1a3c53322d291688bfc0ca3bbe31be65df4a29b6b891944879c4e86207142c95ada |
C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe
| MD5 | 771b8e84ba4f0215298d9dadfe5a10bf |
| SHA1 | 0f5e4c440cd2e7b7d97723424ba9c56339036151 |
| SHA256 | 3f074fb6a883663f2937fd9435fc90f8d31ceabe496627d40b3813dbcc472ed0 |
| SHA512 | 2814ef23653c9be5f5e7245af291cf330c355ed12b4db76f71b4de699c67a9ffd1bdc0cc1df5352335b57ab920404b9c8e81cd9257527264bde4f72a53700164 |
memory/5520-1600-0x0000000000510000-0x0000000000530000-memory.dmp
memory/5520-1601-0x000000001B090000-0x000000001B096000-memory.dmp
memory/5916-1614-0x0000000000820000-0x0000000000CEB000-memory.dmp
memory/5916-1619-0x0000000000820000-0x0000000000CEB000-memory.dmp