Analysis Overview
SHA256
1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b
Threat Level: Known bad
The file 1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b was found to be: Known bad.
Malicious Activity Summary
Stealc
RedLine payload
GCleaner
Amadey
RedLine
CryptBot
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Credentials from Password Stores: Credentials from Web Browsers
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Identifies Wine through registry keys
Checks BIOS information in registry
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Modifies system certificate store
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-08 16:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-08 16:32
Reported
2024-09-08 16:35
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Amadey
CryptBot
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1596 set thread context of 4192 | N/A | C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2472 set thread context of 4520 | N/A | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000028001\univ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\dzQfu7ZJ5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\8LUqFIWu3K.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\8LUqFIWu3K.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\8LUqFIWu3K.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\8LUqFIWu3K.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\8LUqFIWu3K.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\8LUqFIWu3K.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\8LUqFIWu3K.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\dzQfu7ZJ5N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe
"C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\8LUqFIWu3K.exe
"C:\Users\Admin\AppData\Roaming\8LUqFIWu3K.exe"
C:\Users\Admin\AppData\Roaming\dzQfu7ZJ5N.exe
"C:\Users\Admin\AppData\Roaming\dzQfu7ZJ5N.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
"C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
"C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe"
C:\Users\Admin\AppData\Local\Temp\1000028001\univ.exe
"C:\Users\Admin\AppData\Local\Temp\1000028001\univ.exe"
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.117:80 | 185.215.113.117 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.113.215.185.in-addr.arpa | udp |
| DE | 95.179.250.45:26212 | tcp | |
| US | 8.8.8.8:53 | 45.250.179.95.in-addr.arpa | udp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| US | 8.8.8.8:53 | 26.113.215.185.in-addr.arpa | udp |
| FI | 65.21.18.51:45580 | tcp | |
| US | 8.8.8.8:53 | 51.18.21.65.in-addr.arpa | udp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | 53.107.216.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| US | 154.216.17.216:80 | 154.216.17.216 | tcp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| US | 8.8.8.8:53 | 216.17.216.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| RU | 185.215.113.117:80 | 185.215.113.117 | tcp |
| US | 8.8.8.8:53 | fivev5sb.top | udp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
| US | 8.8.8.8:53 | 180.144.249.80.in-addr.arpa | udp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| RU | 80.249.144.180:80 | fivev5sb.top | tcp |
Files
memory/4848-0-0x00000000004A0000-0x000000000096C000-memory.dmp
memory/4848-1-0x0000000077CF4000-0x0000000077CF6000-memory.dmp
memory/4848-2-0x00000000004A1000-0x00000000004CF000-memory.dmp
memory/4848-3-0x00000000004A0000-0x000000000096C000-memory.dmp
memory/4848-4-0x00000000004A0000-0x000000000096C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | c48e96d00170275b32ae17595253db8b |
| SHA1 | 4c5406257dfa38f1f5e9581cff8f8abf0e3166aa |
| SHA256 | 1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b |
| SHA512 | 1ee4dcccc16a087d4c03b4c742cc9e0108ab9cd72dc94cde8fc55e85e3f164a973c4cacd1b0ef36e808c4fc6bbe0a56edffaab8f782cf8c0ecf94435a225be74 |
memory/4848-17-0x00000000004A0000-0x000000000096C000-memory.dmp
memory/3820-18-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3820-20-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3820-19-0x0000000000C01000-0x0000000000C2F000-memory.dmp
memory/3820-21-0x0000000000C00000-0x00000000010CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
| MD5 | 2d647cf43622ed10b6d733bb5f048fc3 |
| SHA1 | 6b9c5f77a9ef064a23e5018178f982570cbc64c6 |
| SHA256 | 41426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6 |
| SHA512 | 62400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a |
memory/1596-42-0x000000007390E000-0x000000007390F000-memory.dmp
memory/1596-43-0x00000000006D0000-0x0000000000724000-memory.dmp
memory/4192-45-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4192-47-0x0000000005CC0000-0x0000000006264000-memory.dmp
memory/4192-48-0x00000000057B0000-0x0000000005842000-memory.dmp
memory/4192-49-0x0000000005950000-0x000000000595A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpA0A5.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/4192-66-0x00000000063F0000-0x0000000006466000-memory.dmp
memory/4192-67-0x0000000006BA0000-0x0000000006BBE000-memory.dmp
memory/4192-70-0x0000000007530000-0x0000000007B48000-memory.dmp
memory/4192-71-0x0000000007020000-0x000000000712A000-memory.dmp
memory/4192-72-0x0000000006F60000-0x0000000006F72000-memory.dmp
memory/4192-73-0x0000000006FC0000-0x0000000006FFC000-memory.dmp
memory/4192-74-0x0000000007130000-0x000000000717C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
| MD5 | 8e74497aff3b9d2ddb7e7f819dfc69ba |
| SHA1 | 1d18154c206083ead2d30995ce2847cbeb6cdbc1 |
| SHA256 | d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66 |
| SHA512 | 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97 |
memory/2472-93-0x0000000000460000-0x0000000000572000-memory.dmp
memory/4520-95-0x0000000000400000-0x000000000050D000-memory.dmp
memory/4520-99-0x0000000000400000-0x000000000050D000-memory.dmp
memory/4520-97-0x0000000000400000-0x000000000050D000-memory.dmp
memory/4520-100-0x0000000000400000-0x000000000050D000-memory.dmp
C:\Users\Admin\AppData\Roaming\8LUqFIWu3K.exe
| MD5 | 88367533c12315805c059e688e7cdfe9 |
| SHA1 | 64a107adcbac381c10bd9c5271c2087b7aa369ec |
| SHA256 | c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9 |
| SHA512 | 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714 |
C:\Users\Admin\AppData\Roaming\dzQfu7ZJ5N.exe
| MD5 | 30f46f4476cdc27691c7fdad1c255037 |
| SHA1 | b53415af5d01f8500881c06867a49a5825172e36 |
| SHA256 | 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0 |
| SHA512 | 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f |
memory/4520-122-0x0000000000400000-0x000000000050D000-memory.dmp
memory/1408-123-0x0000000000C60000-0x0000000000CB2000-memory.dmp
memory/1768-125-0x0000000000950000-0x00000000009DE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-786284298-625481688-3210388970-1000\76b53b3ec448f7ccdda2063b15d2bfc3_1b74ca46-c49b-4c52-a57d-8cd1ff70c625
| MD5 | 6604cb1c0b22299af023fdb5e2a3866f |
| SHA1 | ec04bfb8ddf3ad36837daa96ad7567d1ec9988fa |
| SHA256 | 661491388af258a424e43373dd450f714d01f43af1a286772f8b1d91b575edaf |
| SHA512 | 29e4231e54c07a5164984a72b33ca4bf9ff3779aedce7d658f3dd3bac2914b119260da8ee823d0db19baf233245c88b9dcd6e29897189882467b838a0992321a |
memory/3820-143-0x0000000000C00000-0x00000000010CC000-memory.dmp
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | fba612eeb015040e2746998f014d48bb |
| SHA1 | 6a0b6255fd631eeb7a3e5c8378e71410464608a6 |
| SHA256 | efed14402dbda73ef60c40cde4d6095269dd87531980a735f3bb35ad4b598a89 |
| SHA512 | 3370be0f65c58366664475d361be58253ad5eb8e8924f820c36b7f5a6980f420548152e2962efd4e2f20435b7e1003c896cc00f2df2185947edcb4ca6d34d1db |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | aa60d7755d5a23aaba15d7e1555aa410 |
| SHA1 | 86161ac3fc74599ef77c21e6d4525d4d2407a330 |
| SHA256 | a9d7cb990c537410262c28d8017bd8c2ffbdcc9850133a81bf3cc5100f090e4e |
| SHA512 | 2e51315c3704d082686ee84b93ea15e623e785280051e6482e172ddd9fa76c0234303132dbdff4174972877c00b004c43289782e1b27417ab863d852c8ae35e2 |
memory/3820-148-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3820-149-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3820-150-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/4192-151-0x00000000073B0000-0x0000000007416000-memory.dmp
memory/4192-154-0x00000000096B0000-0x0000000009700000-memory.dmp
memory/4192-159-0x00000000099D0000-0x0000000009B92000-memory.dmp
memory/4192-160-0x000000000A0D0000-0x000000000A5FC000-memory.dmp
memory/3820-161-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3368-163-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3368-164-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3820-166-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3820-169-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3820-170-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3820-171-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3820-172-0x0000000000C00000-0x00000000010CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
| MD5 | f5d7b79ee6b6da6b50e536030bcc3b59 |
| SHA1 | 751b555a8eede96d55395290f60adc43b28ba5e2 |
| SHA256 | 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459 |
| SHA512 | 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46 |
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 7a02aa17200aeac25a375f290a4b4c95 |
| SHA1 | 7cc94ca64268a9a9451fb6b682be42374afc22fd |
| SHA256 | 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e |
| SHA512 | f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6 |
memory/4324-214-0x0000000000990000-0x0000000000BD3000-memory.dmp
memory/3820-215-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/1332-218-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3820-219-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3820-220-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3820-221-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/4324-222-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3820-255-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/3820-259-0x0000000000C00000-0x00000000010CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
| MD5 | 45b55d1e5d2bf60cc572f541ae6fa7d1 |
| SHA1 | 2329f56147a299bcdbf20520e626cc8253e49a8d |
| SHA256 | 039f5c692ba1c67c6e9b475738f40f4311e5e5625e4390d5e51685f6b4e548b8 |
| SHA512 | 5483964e050b2be073d3cf966b6dd6271556d4adfb420fb9ecf81f42f27cd06727016292dceb9a282f9fdcb451507309d1a78f58dd5d84e3022c0ea20c58dbe2 |
memory/3820-281-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/880-284-0x0000000000C00000-0x00000000010CC000-memory.dmp
memory/880-285-0x0000000000C00000-0x00000000010CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
| MD5 | 5f1dffeff8714e88b493506256db8f8a |
| SHA1 | d554da350b41da8556ce83ed851b975d2325a3d2 |
| SHA256 | e372a2d6ea5d76b0ffbccfa5b6574b910826fb5b5998e8e5cc4dcd49f6dffff0 |
| SHA512 | 4bf57a4af1514111e301f8a1c8f3e2c145d078ba45a94edb71af6b1f9ca6dcfb3bd35d5114936f5c97ab4b1561b7b5afd4bfcc6d37b2f39b3aca0c96e0b28960 |
memory/1752-301-0x0000000000400000-0x0000000001069000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
| MD5 | 7e6a519688246fe1180f35fe0d25d370 |
| SHA1 | 8e8719ac897dfef7305311dc216f570af40709af |
| SHA256 | 32a927e9b33371b82bae9f02b5ebf07c19ae5a3a7e3c0cd3fcbee7cfff7f257a |
| SHA512 | a751e911eb254749a3c8c98740f455a5be32ce1af94dc90eba8fc677d6d7379303f80247748dfcfe9c8570edb3488a5af97fa7ff29c815bec6824dd491e27972 |
C:\Users\Admin\AppData\Local\Temp\1000028001\univ.exe
| MD5 | 85737d1c7426259423c84f96719e82ea |
| SHA1 | 0cc96b89ffc0150d6f28143cac0a1070e7d86e40 |
| SHA256 | 5aba703ae3636bbd23110d80621643e39f4b924a664f85bd6542f9f10c6b983b |
| SHA512 | 5dbeaceb38a1991b539e5c11e31b4fdea806d845466052a0ca2c9de46b2d98af64c80d1fd237218f58770f1b334c09e02dd4a6dc7f4043767911a212d359abcf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-08 16:32
Reported
2024-09-08 16:35
Platform
win11-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
CryptBot
GCleaner
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1048 set thread context of 4052 | N/A | C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1968 set thread context of 792 | N/A | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\mbDi4I8oUt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000028001\univ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\adCd8sIRNf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\adCd8sIRNf.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\adCd8sIRNf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\adCd8sIRNf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\adCd8sIRNf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\adCd8sIRNf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\adCd8sIRNf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\mbDi4I8oUt.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe
"C:\Users\Admin\AppData\Local\Temp\1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\adCd8sIRNf.exe
"C:\Users\Admin\AppData\Roaming\adCd8sIRNf.exe"
C:\Users\Admin\AppData\Roaming\mbDi4I8oUt.exe
"C:\Users\Admin\AppData\Roaming\mbDi4I8oUt.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
"C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe"
C:\Users\Admin\AppData\Local\Temp\1000028001\univ.exe
"C:\Users\Admin\AppData\Local\Temp\1000028001\univ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4748 -ip 4748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4748 -ip 4748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4748 -ip 4748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4748 -ip 4748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4748 -ip 4748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4748 -ip 4748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4748 -ip 4748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4748 -ip 4748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1068
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.117:80 | 185.215.113.117 | tcp |
| US | 8.8.8.8:53 | 117.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| DE | 95.179.250.45:26212 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| FI | 65.21.18.51:45580 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| US | 154.216.17.216:80 | 154.216.17.216 | tcp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| RU | 80.66.75.114:80 | 80.66.75.114 | tcp |
| RU | 194.87.248.136:80 | sevtv17sb.top | tcp |
Files
memory/3432-0-0x0000000000A30000-0x0000000000EFC000-memory.dmp
memory/3432-1-0x0000000077606000-0x0000000077608000-memory.dmp
memory/3432-2-0x0000000000A31000-0x0000000000A5F000-memory.dmp
memory/3432-3-0x0000000000A30000-0x0000000000EFC000-memory.dmp
memory/3432-5-0x0000000000A30000-0x0000000000EFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | c48e96d00170275b32ae17595253db8b |
| SHA1 | 4c5406257dfa38f1f5e9581cff8f8abf0e3166aa |
| SHA256 | 1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b |
| SHA512 | 1ee4dcccc16a087d4c03b4c742cc9e0108ab9cd72dc94cde8fc55e85e3f164a973c4cacd1b0ef36e808c4fc6bbe0a56edffaab8f782cf8c0ecf94435a225be74 |
memory/3432-15-0x0000000000A30000-0x0000000000EFC000-memory.dmp
memory/3436-17-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3436-18-0x0000000000031000-0x000000000005F000-memory.dmp
memory/3436-19-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3436-20-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3436-21-0x0000000000030000-0x00000000004FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
| MD5 | 2d647cf43622ed10b6d733bb5f048fc3 |
| SHA1 | 6b9c5f77a9ef064a23e5018178f982570cbc64c6 |
| SHA256 | 41426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6 |
| SHA512 | 62400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a |
memory/1048-42-0x0000000072FCE000-0x0000000072FCF000-memory.dmp
memory/1048-43-0x00000000001A0000-0x00000000001F4000-memory.dmp
memory/4052-45-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4052-47-0x0000000005AC0000-0x0000000006066000-memory.dmp
memory/4052-48-0x0000000005510000-0x00000000055A2000-memory.dmp
memory/4052-49-0x0000000005490000-0x000000000549A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp8E31.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/4052-64-0x0000000006230000-0x00000000062A6000-memory.dmp
memory/4052-65-0x00000000068C0000-0x00000000068DE000-memory.dmp
memory/4052-68-0x0000000007250000-0x0000000007868000-memory.dmp
memory/4052-69-0x0000000008A10000-0x0000000008B1A000-memory.dmp
memory/4052-70-0x0000000007180000-0x0000000007192000-memory.dmp
memory/4052-71-0x00000000071E0000-0x000000000721C000-memory.dmp
memory/4052-72-0x0000000008B20000-0x0000000008B6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
| MD5 | 8e74497aff3b9d2ddb7e7f819dfc69ba |
| SHA1 | 1d18154c206083ead2d30995ce2847cbeb6cdbc1 |
| SHA256 | d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66 |
| SHA512 | 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97 |
memory/1968-91-0x0000000000340000-0x0000000000452000-memory.dmp
memory/792-93-0x0000000000400000-0x000000000050D000-memory.dmp
memory/792-98-0x0000000000400000-0x000000000050D000-memory.dmp
memory/792-97-0x0000000000400000-0x000000000050D000-memory.dmp
memory/792-95-0x0000000000400000-0x000000000050D000-memory.dmp
C:\Users\Admin\AppData\Roaming\adCd8sIRNf.exe
| MD5 | 88367533c12315805c059e688e7cdfe9 |
| SHA1 | 64a107adcbac381c10bd9c5271c2087b7aa369ec |
| SHA256 | c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9 |
| SHA512 | 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714 |
C:\Users\Admin\AppData\Roaming\mbDi4I8oUt.exe
| MD5 | 30f46f4476cdc27691c7fdad1c255037 |
| SHA1 | b53415af5d01f8500881c06867a49a5825172e36 |
| SHA256 | 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0 |
| SHA512 | 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f |
memory/792-118-0x0000000000400000-0x000000000050D000-memory.dmp
memory/1548-121-0x0000000000150000-0x00000000001A2000-memory.dmp
memory/4272-123-0x00000000001F0000-0x000000000027E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-6179872-1886041298-1573312864-1000\76b53b3ec448f7ccdda2063b15d2bfc3_4b97d193-1519-48e1-8d38-f3ecbe02788a
| MD5 | 562abd2cb61265213e9d76b619ebced5 |
| SHA1 | 1f53942078a9345046ac02f5d3d6312bdd5fcc25 |
| SHA256 | c5b50ea423e654ebf016826bff89310819623d6d4a4f48b4eb20fadac6247aef |
| SHA512 | 68ef3da39684857d936569a173305df0a6dc61edd795db9073b08faf8eb6f131f7d9e0fad63328c0f779bd9b9d4c052b32daa7cb55d80eba6bd8feba62a3c59b |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | c8bc827b1b013a96924769f6a270e5c7 |
| SHA1 | 0c3605ebc2b716c9a0def39d6f6560a62c30e839 |
| SHA256 | 398d9ba1561b7a2ea90c156adaeef88cfb797d5fb78a5b3fcb6ecbeea25d887a |
| SHA512 | a6ee3dc0d3d682dce5471965d093b52b17fdd578f484b23c2189e21b18e07a36f96000747380198ffff8ac669131f021e63e0e5cc292ad6fe4c092923e2cb428 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 8530f3a1b0874990da6937f7fa426205 |
| SHA1 | da86e86dc7a6ff4a4ac21d934791cc3837fd2439 |
| SHA256 | 28bc70f0e96487aff45612117b26685798a441e71f6025f8cea3ee1aa96d0a96 |
| SHA512 | e39155b0f8355fe5ebf29790a66220fad15f69761496552842230b76eddaf8598021be4c8489113f27464dcfce75797e897a4f55547200b41e154d90a3f2c0d1 |
memory/3436-143-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3436-146-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/4052-147-0x0000000006CA0000-0x0000000006D06000-memory.dmp
memory/3436-150-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3436-151-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/4272-154-0x0000000009A50000-0x0000000009C12000-memory.dmp
memory/4272-155-0x000000000A150000-0x000000000A67C000-memory.dmp
memory/4052-156-0x00000000094C0000-0x0000000009510000-memory.dmp
memory/3436-157-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3152-159-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3152-160-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3436-161-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3436-162-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3436-163-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3436-164-0x0000000000030000-0x00000000004FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
| MD5 | f5d7b79ee6b6da6b50e536030bcc3b59 |
| SHA1 | 751b555a8eede96d55395290f60adc43b28ba5e2 |
| SHA256 | 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459 |
| SHA512 | 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46 |
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 7a02aa17200aeac25a375f290a4b4c95 |
| SHA1 | 7cc94ca64268a9a9451fb6b682be42374afc22fd |
| SHA256 | 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e |
| SHA512 | f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6 |
memory/4512-207-0x0000000000470000-0x00000000006B3000-memory.dmp
memory/3436-205-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3436-208-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/4024-211-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/4024-213-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3436-214-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/4512-215-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3436-248-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3436-249-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/3436-251-0x0000000000030000-0x00000000004FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
| MD5 | 5f1dffeff8714e88b493506256db8f8a |
| SHA1 | d554da350b41da8556ce83ed851b975d2325a3d2 |
| SHA256 | e372a2d6ea5d76b0ffbccfa5b6574b910826fb5b5998e8e5cc4dcd49f6dffff0 |
| SHA512 | 4bf57a4af1514111e301f8a1c8f3e2c145d078ba45a94edb71af6b1f9ca6dcfb3bd35d5114936f5c97ab4b1561b7b5afd4bfcc6d37b2f39b3aca0c96e0b28960 |
C:\Users\Admin\AppData\Local\Temp\1000028001\univ.exe
| MD5 | 85737d1c7426259423c84f96719e82ea |
| SHA1 | 0cc96b89ffc0150d6f28143cac0a1070e7d86e40 |
| SHA256 | 5aba703ae3636bbd23110d80621643e39f4b924a664f85bd6542f9f10c6b983b |
| SHA512 | 5dbeaceb38a1991b539e5c11e31b4fdea806d845466052a0ca2c9de46b2d98af64c80d1fd237218f58770f1b334c09e02dd4a6dc7f4043767911a212d359abcf |
memory/3436-289-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/4748-297-0x0000000010000000-0x000000001001C000-memory.dmp
memory/4932-302-0x0000000000400000-0x0000000001066000-memory.dmp
memory/4748-304-0x0000000000400000-0x0000000000459000-memory.dmp
memory/3436-308-0x0000000000030000-0x00000000004FC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0LOG5DBA\download[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/4104-314-0x0000000000030000-0x00000000004FC000-memory.dmp
memory/4932-317-0x0000000000400000-0x0000000001066000-memory.dmp