Malware Analysis Report

2025-06-16 06:53

Sample ID 241104-dfj88avjgj
Target Universal Recoil v2 (R6).rar
SHA256 f130b91ebc9ed8b01e185ef57391819c8b05a524bb3e26b7914185c8879b5b09
Tags
stealc game discovery evasion persistence stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f130b91ebc9ed8b01e185ef57391819c8b05a524bb3e26b7914185c8879b5b09

Threat Level: Known bad

The file Universal Recoil v2 (R6).rar was found to be: Known bad.

Malicious Activity Summary

stealc game discovery evasion persistence stealer themida trojan

Stealc

Stealc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 02:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 02:57

Reported

2024-11-04 02:57

Platform

win7-20240903-en

Max time kernel

12s

Max time network

6s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe"

Signatures

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\Users\\Admin\\AppData\\Local\\MyHiddenFolder\\VC_redistx64.exe" C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe C:\Users\Admin\AppData\Roaming\gWsmPty.exe
PID 2520 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe C:\Users\Admin\AppData\Roaming\gWsmPty.exe
PID 2520 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe C:\Users\Admin\AppData\Roaming\gWsmPty.exe
PID 2520 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe C:\Users\Admin\AppData\Roaming\gWsmPty.exe
PID 2520 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
PID 2520 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
PID 2520 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
PID 2520 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
PID 2520 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe
PID 2520 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe
PID 2520 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe
PID 2520 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe

"C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe"

C:\Users\Admin\AppData\Roaming\gWsmPty.exe

"C:\Users\Admin\AppData\Roaming\gWsmPty.exe"

C:\Users\Admin\AppData\Roaming\VC_redistx64.exe

"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"

C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe

"C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2520-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

memory/2520-1-0x0000000000040000-0x00000000006FA000-memory.dmp

memory/2520-2-0x0000000000800000-0x0000000000806000-memory.dmp

memory/2520-3-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

memory/2520-4-0x000000001BB90000-0x000000001C224000-memory.dmp

memory/2520-5-0x0000000000810000-0x0000000000816000-memory.dmp

C:\Users\Admin\AppData\Roaming\gWsmPty.exe

MD5 c57f035e099bfe7f8d56917a22266dc9
SHA1 88a4ab3cef2b3d293b6d94b8d5b38298d1ec6d87
SHA256 d075bbba29912ff7a321ee5dcb32159b9de8e27e716a1aad9ed52bb9d9ccc4a3
SHA512 836f345be084eeaef97144faa845a697f3c40a5f643088ee355d71cbedac23506c4d53267220bfa467872e850faebbc5a3919fbeb5628534619d39fbcbf1e1e4

memory/2388-18-0x0000000000950000-0x0000000000BB3000-memory.dmp

memory/2388-21-0x0000000000950000-0x0000000000BB3000-memory.dmp

C:\Users\Admin\AppData\Roaming\VC_redistx64.exe

MD5 507acc8f3249adef7468989fee931211
SHA1 4d66286973a21e76b0e2c746bac00fa28d446ca9
SHA256 6abb77dce6d4af42005e673cb089b6d41e0ef0b88a6411f4d5dfd8e8b4858154
SHA512 2faee963523b401bf1e588c86bfeef899067456f22848d299525acde5d2ce28a66f769d741deea2e6b218b4e1b0c0f7f4cc08cfc1c2fd8eac5375b3c183b7ee3

memory/3016-23-0x0000000077A90000-0x0000000077A92000-memory.dmp

memory/3016-22-0x0000000000400000-0x0000000000B78000-memory.dmp

memory/3016-27-0x0000000000400000-0x0000000000B78000-memory.dmp

memory/2520-29-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe

MD5 acf8907ce64638007fb5514265812c67
SHA1 daa5404df21afc0cbfc126b9544fa68f3833e3f8
SHA256 9fe5fb74600e204a4739a0ed262f16ab6c7eb9f970f61d6315a8e5010f9bc3d4
SHA512 aa7478af047621b9f6d828356a20905f46a520cf364bc639ff0c21b5e9ae8eb29d5edcb2dd00c4dc327ca5348868d754c7068aff132d27d21e606e3ff821f9b6

memory/3016-26-0x0000000000400000-0x0000000000B78000-memory.dmp

memory/3016-31-0x0000000000400000-0x0000000000B78000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 02:57

Reported

2024-11-04 03:00

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe"

Signatures

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\ProgramData\\MyHiddenFolder\\VC_redistx64.exe" C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\gWsmPty.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000004759a34a10004c6f63616c003c0009000400efbe4759864864592f172e0000006be10100000001000000000000000000000000000000f82ccb004c006f00630061006c00000014000000 C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000047598648120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe4759864864592f172e00000058e10100000001000000000000000000000000000000d2fecc004100700070004400610074006100000042000000 C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000064592f17100054656d7000003a0009000400efbe4759864864592f172e0000006ce101000000010000000000000000000000000000000b468200540065006d007000000014000000 C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe

"C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe"

C:\Users\Admin\AppData\Roaming\gWsmPty.exe

"C:\Users\Admin\AppData\Roaming\gWsmPty.exe"

C:\Users\Admin\AppData\Roaming\VC_redistx64.exe

"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"

C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe

"C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4288-0-0x00007FF8CFC13000-0x00007FF8CFC15000-memory.dmp

memory/4288-1-0x00000000001C0000-0x000000000087A000-memory.dmp

memory/4288-2-0x00000000029D0000-0x00000000029D6000-memory.dmp

memory/4288-3-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

memory/4288-4-0x000000001B690000-0x000000001BD24000-memory.dmp

memory/4288-5-0x00000000029E0000-0x00000000029E6000-memory.dmp

C:\Users\Admin\AppData\Roaming\gWsmPty.exe

MD5 c57f035e099bfe7f8d56917a22266dc9
SHA1 88a4ab3cef2b3d293b6d94b8d5b38298d1ec6d87
SHA256 d075bbba29912ff7a321ee5dcb32159b9de8e27e716a1aad9ed52bb9d9ccc4a3
SHA512 836f345be084eeaef97144faa845a697f3c40a5f643088ee355d71cbedac23506c4d53267220bfa467872e850faebbc5a3919fbeb5628534619d39fbcbf1e1e4

memory/3088-13-0x0000000000CD0000-0x0000000000F33000-memory.dmp

C:\Users\Admin\AppData\Roaming\VC_redistx64.exe

MD5 507acc8f3249adef7468989fee931211
SHA1 4d66286973a21e76b0e2c746bac00fa28d446ca9
SHA256 6abb77dce6d4af42005e673cb089b6d41e0ef0b88a6411f4d5dfd8e8b4858154
SHA512 2faee963523b401bf1e588c86bfeef899067456f22848d299525acde5d2ce28a66f769d741deea2e6b218b4e1b0c0f7f4cc08cfc1c2fd8eac5375b3c183b7ee3

C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe

MD5 acf8907ce64638007fb5514265812c67
SHA1 daa5404df21afc0cbfc126b9544fa68f3833e3f8
SHA256 9fe5fb74600e204a4739a0ed262f16ab6c7eb9f970f61d6315a8e5010f9bc3d4
SHA512 aa7478af047621b9f6d828356a20905f46a520cf364bc639ff0c21b5e9ae8eb29d5edcb2dd00c4dc327ca5348868d754c7068aff132d27d21e606e3ff821f9b6

memory/3452-34-0x0000000000400000-0x0000000000B78000-memory.dmp

memory/3452-36-0x0000000000400000-0x0000000000B78000-memory.dmp

memory/3452-37-0x0000000000400000-0x0000000000B78000-memory.dmp

memory/4288-35-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

memory/3088-38-0x0000000000CD0000-0x0000000000F33000-memory.dmp

memory/3452-48-0x0000000000400000-0x0000000000B78000-memory.dmp

memory/2704-49-0x0000000000130000-0x0000000000482000-memory.dmp

memory/2704-51-0x0000000000130000-0x0000000000482000-memory.dmp