Analysis Overview
SHA256
75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4
Threat Level: Known bad
The file JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4 was found to be: Known bad.
Malicious Activity Summary
RedLine
SmokeLoader
AsyncRat
StormKitty
StormKitty payload
Async RAT payload
Downloads MZ/PE file
Uses the VBS compiler for execution
Deletes itself
Reads user/profile data of web browsers
Executes dropped EXE
Looks up geolocation information via web service
Drops desktop.ini file(s)
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-02 11:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-02 11:32
Reported
2023-09-02 11:35
Platform
win10v2004-20230831-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
AsyncRat
RedLine
SmokeLoader
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E7FE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2E9E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7EB3.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\eb4662cf6465107625efdcb2d9de66ff\Admin@VNIYNTNL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7EB3.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\eb4662cf6465107625efdcb2d9de66ff\Admin@VNIYNTNL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7EB3.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\eb4662cf6465107625efdcb2d9de66ff\Admin@VNIYNTNL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7EB3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\eb4662cf6465107625efdcb2d9de66ff\Admin@VNIYNTNL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7EB3.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\eb4662cf6465107625efdcb2d9de66ff\Admin@VNIYNTNL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7EB3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\eb4662cf6465107625efdcb2d9de66ff\Admin@VNIYNTNL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7EB3.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\eb4662cf6465107625efdcb2d9de66ff\Admin@VNIYNTNL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7EB3.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\eb4662cf6465107625efdcb2d9de66ff\Admin@VNIYNTNL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7EB3.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2116 set thread context of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\E7FE.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4744 set thread context of 1496 | N/A | C:\Users\Admin\AppData\Local\Temp\2E9E.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\7EB3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7EB3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7EB3.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe
"C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe"
C:\Users\Admin\AppData\Local\Temp\E7FE.exe
C:\Users\Admin\AppData\Local\Temp\E7FE.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\2E9E.exe
C:\Users\Admin\AppData\Local\Temp\2E9E.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\7EB3.exe
C:\Users\Admin\AppData\Local\Temp\7EB3.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 126.22.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stalagmijesarl.com | udp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | 167.32.87.194.in-addr.arpa | udp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.22.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oshi.at | udp |
| NL | 5.253.86.15:443 | oshi.at | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | 15.86.253.5.in-addr.arpa | udp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| DE | 162.55.189.218:26952 | tcp | |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| RU | 5.42.65.101:48790 | tcp | |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | 101.65.42.5.in-addr.arpa | udp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| DE | 162.55.189.218:26952 | tcp | |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 162.55.189.218:26952 | tcp | |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 97.114.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| DE | 162.55.189.218:26952 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| DE | 162.55.189.218:26952 | tcp | |
| US | 8.8.8.8:53 | 35.197.79.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp |
Files
memory/4080-1-0x0000000001450000-0x0000000001550000-memory.dmp
memory/4080-2-0x0000000001430000-0x0000000001439000-memory.dmp
memory/4080-3-0x0000000000400000-0x0000000001399000-memory.dmp
memory/3192-4-0x0000000003570000-0x0000000003586000-memory.dmp
memory/4080-5-0x0000000000400000-0x0000000001399000-memory.dmp
memory/4080-8-0x0000000001430000-0x0000000001439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E7FE.exe
| MD5 | 80c339b9cfb70abfcb04639c45ed43cd |
| SHA1 | 8528245af0095d13719df2d074783e7e3e3b7b9c |
| SHA256 | 75dd991971cab83f49b214ca6e3dca575395db63514e334f8b0065478af6f077 |
| SHA512 | 4a54f03886aed7af2ff71e7f36e9193194c11ebf1d924922bdb8d5a0b70a73d001db3c263dbb193c188c6fe52070435da2771a6ecdba8310b40f7a5ef7f80c4e |
C:\Users\Admin\AppData\Local\Temp\E7FE.exe
| MD5 | 80c339b9cfb70abfcb04639c45ed43cd |
| SHA1 | 8528245af0095d13719df2d074783e7e3e3b7b9c |
| SHA256 | 75dd991971cab83f49b214ca6e3dca575395db63514e334f8b0065478af6f077 |
| SHA512 | 4a54f03886aed7af2ff71e7f36e9193194c11ebf1d924922bdb8d5a0b70a73d001db3c263dbb193c188c6fe52070435da2771a6ecdba8310b40f7a5ef7f80c4e |
memory/2312-20-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2312-21-0x0000000075090000-0x0000000075840000-memory.dmp
memory/2312-22-0x0000000005B60000-0x0000000006178000-memory.dmp
memory/2312-23-0x0000000005650000-0x000000000575A000-memory.dmp
memory/2312-24-0x0000000002DF0000-0x0000000002E00000-memory.dmp
memory/2312-25-0x0000000005560000-0x0000000005572000-memory.dmp
memory/2312-26-0x00000000055C0000-0x00000000055FC000-memory.dmp
memory/2312-27-0x0000000075090000-0x0000000075840000-memory.dmp
memory/2312-28-0x0000000002DF0000-0x0000000002E00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2E9E.exe
| MD5 | d57accb7d374c8489a3cde9533043084 |
| SHA1 | d627a1b90e3a1440838a0a7703c25328ad2db210 |
| SHA256 | e54b359e1dd5757218f6ab704f705f99e52363f755df843b680850b7e513b0ca |
| SHA512 | 7433d210ace1929e79cf4e3873246aef729b172bfeb74ee744813965533b1cf24ff288c6e6d2c75195365861d0ca149b5bccb9d48cb395b9eafe4d3d53557d46 |
C:\Users\Admin\AppData\Local\Temp\2E9E.exe
| MD5 | d57accb7d374c8489a3cde9533043084 |
| SHA1 | d627a1b90e3a1440838a0a7703c25328ad2db210 |
| SHA256 | e54b359e1dd5757218f6ab704f705f99e52363f755df843b680850b7e513b0ca |
| SHA512 | 7433d210ace1929e79cf4e3873246aef729b172bfeb74ee744813965533b1cf24ff288c6e6d2c75195365861d0ca149b5bccb9d48cb395b9eafe4d3d53557d46 |
memory/4744-33-0x0000000000170000-0x000000000030B000-memory.dmp
memory/1496-34-0x0000000000720000-0x0000000000748000-memory.dmp
memory/4744-39-0x0000000000170000-0x000000000030B000-memory.dmp
memory/1496-40-0x0000000075090000-0x0000000075840000-memory.dmp
memory/1496-41-0x0000000007190000-0x00000000071A0000-memory.dmp
memory/1496-42-0x0000000007450000-0x00000000074B6000-memory.dmp
memory/1496-43-0x0000000008500000-0x0000000008AA4000-memory.dmp
memory/1496-44-0x0000000008030000-0x00000000080C2000-memory.dmp
memory/1496-45-0x00000000083A0000-0x0000000008416000-memory.dmp
memory/1496-46-0x0000000008260000-0x000000000827E000-memory.dmp
memory/1496-47-0x0000000008490000-0x00000000084E0000-memory.dmp
memory/1496-48-0x0000000009730000-0x00000000098F2000-memory.dmp
memory/1496-49-0x0000000009E30000-0x000000000A35C000-memory.dmp
memory/1496-51-0x0000000075090000-0x0000000075840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7EB3.exe
| MD5 | 1dbe07fed59f883e991f772130e022ac |
| SHA1 | 23e457a6cc81df9fccef59ac029652895a76547f |
| SHA256 | 503c9d610d82544719a132f4e64675da75966301fe811e3f39dea134ad3f4606 |
| SHA512 | c369ab225ea0b092db4f65f71a57e5947ae59fd6d74a663006fac24f90f7197b7be0afaa457c9da17884b6d62ec9dacb443c2894396f2328dce77816b06388f1 |
C:\Users\Admin\AppData\Local\Temp\7EB3.exe
| MD5 | 1dbe07fed59f883e991f772130e022ac |
| SHA1 | 23e457a6cc81df9fccef59ac029652895a76547f |
| SHA256 | 503c9d610d82544719a132f4e64675da75966301fe811e3f39dea134ad3f4606 |
| SHA512 | c369ab225ea0b092db4f65f71a57e5947ae59fd6d74a663006fac24f90f7197b7be0afaa457c9da17884b6d62ec9dacb443c2894396f2328dce77816b06388f1 |
memory/2112-56-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2112-57-0x00000000005D0000-0x0000000000602000-memory.dmp
memory/2112-61-0x0000000075090000-0x0000000075840000-memory.dmp
memory/2112-62-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/4936-64-0x00000000003E0000-0x00000000003E7000-memory.dmp
memory/4936-66-0x00000000003D0000-0x00000000003DB000-memory.dmp
memory/3880-68-0x0000000000520000-0x0000000000529000-memory.dmp
memory/3880-69-0x0000000000510000-0x000000000051F000-memory.dmp
memory/3880-67-0x0000000000510000-0x000000000051F000-memory.dmp
memory/3640-71-0x0000000000E00000-0x0000000000E05000-memory.dmp
memory/3640-70-0x0000000000BF0000-0x0000000000BF9000-memory.dmp
memory/2816-73-0x00000000006A0000-0x00000000006AC000-memory.dmp
memory/2816-74-0x00000000006B0000-0x00000000006B6000-memory.dmp
memory/2112-76-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2816-75-0x00000000006A0000-0x00000000006AC000-memory.dmp
memory/2112-77-0x0000000075090000-0x0000000075840000-memory.dmp
memory/1312-79-0x0000000000600000-0x0000000000622000-memory.dmp
memory/1312-78-0x00000000003B0000-0x00000000003D7000-memory.dmp
memory/1312-80-0x00000000003B0000-0x00000000003D7000-memory.dmp
memory/2112-81-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/3368-84-0x0000000000170000-0x0000000000175000-memory.dmp
memory/3368-85-0x0000000000160000-0x0000000000169000-memory.dmp
memory/4936-86-0x00000000003D0000-0x00000000003DB000-memory.dmp
memory/4936-83-0x00000000003E0000-0x00000000003E7000-memory.dmp
memory/3368-82-0x0000000000160000-0x0000000000169000-memory.dmp
memory/4336-88-0x00000000003A0000-0x00000000003AB000-memory.dmp
memory/4336-87-0x00000000003B0000-0x00000000003B6000-memory.dmp
memory/4336-89-0x00000000003A0000-0x00000000003AB000-memory.dmp
memory/3640-90-0x0000000000BF0000-0x0000000000BF9000-memory.dmp
memory/4500-91-0x0000000000150000-0x0000000000157000-memory.dmp
memory/4500-93-0x0000000000140000-0x000000000014D000-memory.dmp
C:\Users\Admin\AppData\Local\eb4662cf6465107625efdcb2d9de66ff\Admin@VNIYNTNL_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/2600-161-0x0000000000330000-0x000000000033B000-memory.dmp
memory/2816-162-0x00000000006B0000-0x00000000006B6000-memory.dmp
memory/2600-163-0x0000000000340000-0x0000000000348000-memory.dmp
memory/2600-164-0x0000000000330000-0x000000000033B000-memory.dmp
memory/1312-180-0x0000000000600000-0x0000000000622000-memory.dmp
memory/1312-181-0x00000000003B0000-0x00000000003D7000-memory.dmp
memory/3368-206-0x0000000000170000-0x0000000000175000-memory.dmp
memory/4336-220-0x00000000003B0000-0x00000000003B6000-memory.dmp
C:\Users\Admin\AppData\Local\eb4662cf6465107625efdcb2d9de66ff\Admin@VNIYNTNL_en-US\System\Process.txt
| MD5 | 03c082fa4708921619160f42e4bd631a |
| SHA1 | 5ea830d2038a5319a3540fcd47d0376f490d201f |
| SHA256 | 4fa5e738e2beaef3423c703f556ffa419e9e47aa386f0f83ab157e0a8a8016aa |
| SHA512 | 62e1e201f625188839fb3f497b5f56fe02f3c48f7d3cb04ad2779c8bd59bcac984f644060d0fab6f865c8bdcd716093688bd5b20745c98cd232bc4c0a3a4a809 |
memory/2112-251-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/4500-252-0x0000000000140000-0x000000000014D000-memory.dmp
memory/2600-256-0x0000000000340000-0x0000000000348000-memory.dmp
memory/2112-257-0x0000000006190000-0x000000000619A000-memory.dmp
C:\Users\Admin\AppData\Local\c4f04431fadc7c659abb0461c0403a9f\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/2112-263-0x0000000006860000-0x0000000006872000-memory.dmp
memory/2112-288-0x00000000049F0000-0x0000000004A00000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-02 11:32
Reported
2023-09-02 11:35
Platform
win7-20230831-en
Max time kernel
152s
Max time network
155s
Command Line
Signatures
AsyncRat
RedLine
SmokeLoader
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E39E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2B67.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7E58.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\Admin@XOCYHKRS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7E58.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\Admin@XOCYHKRS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7E58.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\Admin@XOCYHKRS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7E58.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\Admin@XOCYHKRS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7E58.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\Admin@XOCYHKRS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7E58.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\Admin@XOCYHKRS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7E58.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1216 set thread context of 2252 | N/A | C:\Users\Admin\AppData\Local\Temp\E39E.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1280 set thread context of 660 | N/A | C:\Users\Admin\AppData\Local\Temp\2B67.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7E58.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\7E58.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7E58.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe
"C:\Users\Admin\AppData\Local\Temp\JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe"
C:\Users\Admin\AppData\Local\Temp\E39E.exe
C:\Users\Admin\AppData\Local\Temp\E39E.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\2B67.exe
C:\Users\Admin\AppData\Local\Temp\2B67.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\7E58.exe
C:\Users\Admin\AppData\Local\Temp\7E58.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stalagmijesarl.com | udp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.121.80:80 | apps.identrust.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | oshi.at | udp |
| NL | 5.253.86.15:443 | oshi.at | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| DE | 162.55.189.218:26952 | tcp | |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| RU | 5.42.65.101:48790 | tcp | |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| DE | 162.55.189.218:26952 | tcp | |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 194.87.32.167:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| DE | 162.55.189.218:26952 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| DE | 162.55.189.218:26952 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| DE | 162.55.189.218:26952 | tcp | |
| N/A | 127.0.0.1:8808 | tcp |
Files
memory/2036-1-0x0000000001470000-0x0000000001570000-memory.dmp
memory/2036-3-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2036-2-0x0000000000400000-0x0000000001399000-memory.dmp
memory/1220-4-0x0000000002BE0000-0x0000000002BF6000-memory.dmp
memory/2036-5-0x0000000000400000-0x0000000001399000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabD126.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarD1A6.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ee4bb6e1c0bb6f7839f8a60162155e77 |
| SHA1 | b497d726e4953f2dc67372fc1d3152cc4f99d123 |
| SHA256 | cfaf84354dead851879646258ed2fa122b7df6583fd7609dfb7fade9d87d29b3 |
| SHA512 | 53571e6ac6c1cf0265412d47530e0c6682cbfccb9627d4fc9711091b26b998daff544881fbe9a3fe74ced259918b2fcfe26ae223830b62c6adc33f913ef9a785 |
C:\Users\Admin\AppData\Local\Temp\E39E.exe
| MD5 | 80c339b9cfb70abfcb04639c45ed43cd |
| SHA1 | 8528245af0095d13719df2d074783e7e3e3b7b9c |
| SHA256 | 75dd991971cab83f49b214ca6e3dca575395db63514e334f8b0065478af6f077 |
| SHA512 | 4a54f03886aed7af2ff71e7f36e9193194c11ebf1d924922bdb8d5a0b70a73d001db3c263dbb193c188c6fe52070435da2771a6ecdba8310b40f7a5ef7f80c4e |
C:\Users\Admin\AppData\Local\Temp\E39E.exe
| MD5 | 80c339b9cfb70abfcb04639c45ed43cd |
| SHA1 | 8528245af0095d13719df2d074783e7e3e3b7b9c |
| SHA256 | 75dd991971cab83f49b214ca6e3dca575395db63514e334f8b0065478af6f077 |
| SHA512 | 4a54f03886aed7af2ff71e7f36e9193194c11ebf1d924922bdb8d5a0b70a73d001db3c263dbb193c188c6fe52070435da2771a6ecdba8310b40f7a5ef7f80c4e |
memory/2252-99-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2252-100-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2252-101-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2252-102-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2252-103-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2252-104-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2252-106-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2252-108-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2252-109-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/2252-110-0x0000000000380000-0x0000000000386000-memory.dmp
memory/2252-111-0x0000000000B40000-0x0000000000B80000-memory.dmp
memory/2252-112-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/2252-113-0x0000000000B40000-0x0000000000B80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2B67.exe
| MD5 | d57accb7d374c8489a3cde9533043084 |
| SHA1 | d627a1b90e3a1440838a0a7703c25328ad2db210 |
| SHA256 | e54b359e1dd5757218f6ab704f705f99e52363f755df843b680850b7e513b0ca |
| SHA512 | 7433d210ace1929e79cf4e3873246aef729b172bfeb74ee744813965533b1cf24ff288c6e6d2c75195365861d0ca149b5bccb9d48cb395b9eafe4d3d53557d46 |
memory/1280-119-0x0000000000C50000-0x0000000000DEB000-memory.dmp
memory/660-120-0x0000000000400000-0x0000000000428000-memory.dmp
memory/660-118-0x0000000000400000-0x0000000000428000-memory.dmp
memory/660-124-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1280-127-0x0000000000C50000-0x0000000000DEB000-memory.dmp
memory/660-128-0x0000000000400000-0x0000000000428000-memory.dmp
memory/660-126-0x0000000000400000-0x0000000000428000-memory.dmp
memory/660-129-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/660-130-0x0000000006E40000-0x0000000006E80000-memory.dmp
memory/660-131-0x00000000745B0000-0x0000000074C9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7E58.exe
| MD5 | 1dbe07fed59f883e991f772130e022ac |
| SHA1 | 23e457a6cc81df9fccef59ac029652895a76547f |
| SHA256 | 503c9d610d82544719a132f4e64675da75966301fe811e3f39dea134ad3f4606 |
| SHA512 | c369ab225ea0b092db4f65f71a57e5947ae59fd6d74a663006fac24f90f7197b7be0afaa457c9da17884b6d62ec9dacb443c2894396f2328dce77816b06388f1 |
C:\Users\Admin\AppData\Local\Temp\7E58.exe
| MD5 | 1dbe07fed59f883e991f772130e022ac |
| SHA1 | 23e457a6cc81df9fccef59ac029652895a76547f |
| SHA256 | 503c9d610d82544719a132f4e64675da75966301fe811e3f39dea134ad3f4606 |
| SHA512 | c369ab225ea0b092db4f65f71a57e5947ae59fd6d74a663006fac24f90f7197b7be0afaa457c9da17884b6d62ec9dacb443c2894396f2328dce77816b06388f1 |
memory/2312-139-0x00000000003B0000-0x00000000003E2000-memory.dmp
memory/2312-138-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2312-144-0x00000000048E0000-0x0000000004920000-memory.dmp
memory/2312-143-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/2068-147-0x00000000000C0000-0x00000000000CB000-memory.dmp
memory/2068-146-0x00000000000D0000-0x00000000000D7000-memory.dmp
memory/2020-150-0x0000000000060000-0x000000000006F000-memory.dmp
memory/2020-149-0x0000000000070000-0x0000000000079000-memory.dmp
memory/2020-148-0x0000000000060000-0x000000000006F000-memory.dmp
memory/2212-152-0x00000000000D0000-0x00000000000D5000-memory.dmp
memory/2212-151-0x0000000000080000-0x0000000000089000-memory.dmp
memory/2212-153-0x0000000000080000-0x0000000000089000-memory.dmp
memory/1808-154-0x0000000000060000-0x000000000006C000-memory.dmp
memory/2312-155-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/1808-156-0x0000000000080000-0x0000000000089000-memory.dmp
memory/1808-157-0x0000000000060000-0x000000000006C000-memory.dmp
memory/2068-161-0x00000000000D0000-0x00000000000D7000-memory.dmp
memory/2312-160-0x00000000048E0000-0x0000000004920000-memory.dmp
memory/1868-159-0x00000000000C0000-0x00000000000E7000-memory.dmp
memory/1868-158-0x00000000000F0000-0x0000000000112000-memory.dmp
memory/1868-162-0x00000000000C0000-0x00000000000E7000-memory.dmp
memory/1524-164-0x0000000000090000-0x0000000000095000-memory.dmp
memory/1524-163-0x0000000000080000-0x0000000000089000-memory.dmp
memory/2068-165-0x00000000000C0000-0x00000000000CB000-memory.dmp
memory/2380-166-0x0000000000080000-0x000000000008B000-memory.dmp
memory/2020-167-0x0000000000070000-0x0000000000079000-memory.dmp
memory/2380-168-0x0000000000090000-0x0000000000096000-memory.dmp
memory/2380-169-0x0000000000080000-0x000000000008B000-memory.dmp
memory/1064-171-0x0000000000070000-0x0000000000077000-memory.dmp
memory/1064-170-0x0000000000060000-0x000000000006D000-memory.dmp
memory/1064-172-0x0000000000060000-0x000000000006D000-memory.dmp
memory/2580-247-0x0000000000080000-0x000000000008B000-memory.dmp
memory/1808-248-0x0000000000080000-0x0000000000089000-memory.dmp
memory/2580-249-0x0000000000060000-0x000000000006D000-memory.dmp
memory/2580-251-0x0000000000080000-0x000000000008B000-memory.dmp
memory/1868-252-0x00000000000F0000-0x0000000000112000-memory.dmp
memory/2312-254-0x00000000048E0000-0x0000000004920000-memory.dmp
memory/1524-258-0x0000000000080000-0x0000000000089000-memory.dmp
memory/2380-259-0x0000000000090000-0x0000000000096000-memory.dmp
memory/1064-260-0x0000000000070000-0x0000000000077000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | be125d021a970fafb77eb96a61962edc |
| SHA1 | ffaa63acad234f00fe8055d83d98df2b6d8fce80 |
| SHA256 | 8e60fb9262338634bb0e1b66a3de6b22102011b795d149c3e2dd6f25a9833905 |
| SHA512 | 97659982bde4cdf9a03982f878a89a0564101b3b4c5c5da0cc4c21bc1099181d0cdc1d660ff0c82d5e3114d5e67a2bd164bb1bd72810d6a25745615d2664d91e |
C:\Users\Admin\AppData\Local\b597a693fc004d5ec3353b57ba522874\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/2580-283-0x0000000000060000-0x000000000006D000-memory.dmp
memory/2312-284-0x00000000048E0000-0x0000000004920000-memory.dmp