Malware Analysis Report

2024-09-23 00:21

Sample ID 240508-pk183scc7t
Target Flash USDT Sender V5.0.zip
SHA256 e5ada968624062651aa3a61474149ca7d5cd9fc3d8afc4421a73b139e0fefe2a
Tags
evasion asyncrat stormkitty default persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e5ada968624062651aa3a61474149ca7d5cd9fc3d8afc4421a73b139e0fefe2a

Threat Level: Known bad

The file Flash USDT Sender V5.0.zip was found to be: Known bad.

Malicious Activity Summary

evasion asyncrat stormkitty default persistence rat spyware stealer

StormKitty payload

StormKitty

AsyncRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Loads dropped DLL

Drops startup file

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Reads user/profile data of web browsers

Adds Run key to start application

Looks up geolocation information via web service

Drops desktop.ini file(s)

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-08 12:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-08 12:24

Reported

2024-05-08 12:26

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CommonModule.dll,#1

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1992 wrote to memory of 2836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CommonModule.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CommonModule.dll,#1

Network

N/A

Files

memory/2836-1-0x0000000074240000-0x0000000074693000-memory.dmp

memory/2836-3-0x0000000074250000-0x00000000746A3000-memory.dmp

memory/2836-2-0x0000000073DE0000-0x0000000074233000-memory.dmp

memory/2836-0-0x0000000074260000-0x00000000746B3000-memory.dmp

memory/2836-4-0x0000000077050000-0x0000000077052000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-08 12:24

Reported

2024-05-08 12:27

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1XDHRO6P4.5.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1XDHRO6P4.5.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BbNpQCTyLP = "C:\\Users\\Admin\\AppData\\Roaming\\QrNCGfAyDz\\DcDJLimAFT.exe" C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\1XDHRO6P4.5.exe\" .." C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\bc648bb11cea509a84f6538e8bb0cb21\Admin@EBFSRKGG_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\bc648bb11cea509a84f6538e8bb0cb21\Admin@EBFSRKGG_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\bc648bb11cea509a84f6538e8bb0cb21\Admin@EBFSRKGG_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\bc648bb11cea509a84f6538e8bb0cb21\Admin@EBFSRKGG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\bc648bb11cea509a84f6538e8bb0cb21\Admin@EBFSRKGG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\bc648bb11cea509a84f6538e8bb0cb21\Admin@EBFSRKGG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\bc648bb11cea509a84f6538e8bb0cb21\Admin@EBFSRKGG_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\bc648bb11cea509a84f6538e8bb0cb21\Admin@EBFSRKGG_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 468 set thread context of 1712 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000e82921442792da01490e8d462792da0129c94b472792da0114000000 C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\crack.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 2172 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 2172 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 2172 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2172 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2172 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2172 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
PID 2172 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
PID 2172 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
PID 2172 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
PID 2172 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
PID 468 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 468 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 468 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 468 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 468 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 468 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 468 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 468 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 468 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 468 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 468 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 4688 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3228 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3228 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1712 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3940 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3940 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3940 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3940 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3940 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3940 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3940 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3940 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1712 wrote to memory of 920 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 920 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 920 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 920 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 920 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 920 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 920 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 920 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe

"C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe"

C:\Users\Admin\AppData\Roaming\crack.exe

"C:\Users\Admin\AppData\Roaming\crack.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe

"C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe"

C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe

"C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4E2F.tmp.cmd""

C:\Windows\SysWOW64\timeout.exe

timeout 4

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:3389 tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/2172-0-0x0000000074802000-0x0000000074803000-memory.dmp

memory/2172-1-0x0000000074800000-0x0000000074DB1000-memory.dmp

memory/2172-2-0x0000000074800000-0x0000000074DB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\crack.exe

MD5 9215015740c937980b6b53cee5087769
SHA1 a0bfe95486944f1548620d4de472c3758e95d36a
SHA256 a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA512 5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

MD5 e7f8c4ea62d6c4ae774f981480c6b232
SHA1 2dad33c36ad472cee4ca8231c723e92bd7033b7d
SHA256 c57f5af415c2e2b4850b6274567ea05841501136b634365c8dc9c19c0a5cd39b
SHA512 f92a03354724834c21c932e2f6933c0afab21d768e7ceedb15699e22bc1a63771f2f91734b902dd8cdb75d2fb7e2be0579c0b826f154a325769a0317c3c1a3c7

C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe

MD5 8d17fae8b6efcdf310021c21ba21a253
SHA1 5824d9a7e709c2fbff3fe1b77d46ce8da12fb76b
SHA256 2666146118425d99aa65f5b01a0687f3f54007f01d63366c4b945b6dd25f37d7
SHA512 6ebe1e8c5a17ac0d26ff8fb6c8c65d7baf7fc349558ee899ee0586f6b0448b93660f61cc633518ce7449938d6bb862b5fa9e81a03482fbee57c9999269a99997

memory/4972-40-0x00007FF839803000-0x00007FF839805000-memory.dmp

C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe

MD5 ac7938b542469a1c5bb108fc046ac87b
SHA1 9571a4ab3359b982f0ab33b03e815df8c354b0f3
SHA256 1efd1de7aef995821042509c66121a942c7ee8e004badbb4e14a10b5d7c96292
SHA512 a669d873bfbe176b6e8b365178272b8666eeadc85e74a814c10e0d5217b988d8f11ef94aa495cbd9ad47d63f4483872c3e42e18c9554db7572ef14321682d257

memory/4688-42-0x00000000719DE000-0x00000000719DF000-memory.dmp

memory/4972-53-0x0000020186E00000-0x0000020186E0A000-memory.dmp

memory/468-57-0x00000000719D0000-0x0000000072180000-memory.dmp

memory/468-58-0x0000000005C40000-0x00000000061E4000-memory.dmp

memory/5052-56-0x0000000005690000-0x000000000572C000-memory.dmp

memory/4688-59-0x0000000000A60000-0x0000000000A68000-memory.dmp

memory/5052-55-0x0000000000D80000-0x0000000000E48000-memory.dmp

memory/468-54-0x0000000000D60000-0x0000000000D96000-memory.dmp

memory/468-61-0x0000000005690000-0x0000000005722000-memory.dmp

memory/2172-51-0x0000000074800000-0x0000000074DB1000-memory.dmp

memory/5052-68-0x0000000005760000-0x000000000576A000-memory.dmp

memory/5052-70-0x0000000005870000-0x00000000058C6000-memory.dmp

memory/468-71-0x00000000719D0000-0x0000000072180000-memory.dmp

memory/1712-67-0x0000000000400000-0x0000000000430000-memory.dmp

memory/468-63-0x00000000055E0000-0x00000000055EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4E2F.tmp.cmd

MD5 75ca45728de396d58717d3294ae7557f
SHA1 ffdde6fa659cc95968eb75961a9d28f6a928c438
SHA256 c0355d733a94f5e08951ddc8700107f8ac6de7ea03abc4ac658aa8840fb59edf
SHA512 645cc5d4173551e5d10d1d6fb93f5bf44bf26168758ec541c88f405a4fb4931f1bf99a9062474f1c7ebee0de75f22ee976fff6a610e7e5da772ce88187b0b962

memory/1712-76-0x0000000004F00000-0x0000000004F66000-memory.dmp

C:\Users\Admin\AppData\Local\bc648bb11cea509a84f6538e8bb0cb21\Admin@EBFSRKGG_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\bc648bb11cea509a84f6538e8bb0cb21\Admin@EBFSRKGG_en-US\System\Process.txt

MD5 8f18aac0dda3083b8b0b0ab4142095a9
SHA1 0045649efde4233d9bacbc8a3fdac413b0348a57
SHA256 b26b81c835696153460bed15214219afd6ae8978bed6ce5a40497fdbe95abe5c
SHA512 dfe73b6bb465cc6b78eca6e464c4a96c679062f0b66715a6f231fa4b2923a93872ca167730690cbd5144afb54885fe7d5565919cc84825e756edfc1d57fc839e

memory/1712-236-0x0000000005CA0000-0x0000000005CAA000-memory.dmp

C:\Users\Admin\AppData\Local\c2a5cbcc41246c6eac2a03d678431a1e\msgid.dat

MD5 346bf307c2d5ef3d13af943f2da0bb44
SHA1 df6de4a94b6e64829f5f5d1945ecfcecdb9af257
SHA256 596d5907bb95768e862626b3837a01a7f8e3d27e678f4c5daaeca546c5de0bc3
SHA512 b949f17902385cac9906d93286096ca898705ffb80f4d938f395161d34a5a39b5cd563216574893ba4e711e9487950b3652bb3841f7f81ee13e7e0f65cabb34a

memory/1712-242-0x0000000006920000-0x0000000006932000-memory.dmp

memory/4972-265-0x00007FF839803000-0x00007FF839805000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 12:24

Reported

2024-05-08 12:26

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AgentModule.dll,#1

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1976 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1976 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1976 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1976 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1976 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1976 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AgentModule.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AgentModule.dll,#1

Network

N/A

Files

memory/2188-1-0x00000000743E0000-0x000000007485D000-memory.dmp

memory/2188-2-0x0000000074860000-0x0000000074CDD000-memory.dmp

memory/2188-0-0x0000000074860000-0x0000000074CDD000-memory.dmp

memory/2188-3-0x0000000077680000-0x0000000077682000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-08 12:24

Reported

2024-05-08 12:26

Platform

win7-20240221-en

Max time kernel

137s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1XDHRO6P4.5.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1XDHRO6P4.5.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BbNpQCTyLP = "C:\\Users\\Admin\\AppData\\Roaming\\QrNCGfAyDz\\DcDJLimAFT.exe" C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\1XDHRO6P4.5.exe\" .." C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\2a02bea06922e5a2ca8688b6fe1e5a42\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\2a02bea06922e5a2ca8688b6fe1e5a42\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\2a02bea06922e5a2ca8688b6fe1e5a42\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\2a02bea06922e5a2ca8688b6fe1e5a42\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\2a02bea06922e5a2ca8688b6fe1e5a42\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\2a02bea06922e5a2ca8688b6fe1e5a42\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2604 set thread context of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421332954" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000ca9bec549280733823b546bab36d17d043cf6213110b47a77a88fee6b84b3b49000000000e800000000200002000000083b440cb9f124d0f2b45115d80d0ff767fc66568ea5941a70e8df618ec2ab04020000000747d21caf7d8535000fc3dd46211cfcaedb32564e3f61607b7e32ae6612e12e540000000575130087be39657c445906594e3b03afcf030bbe38af34c45afc086c9ab3c097b58e8ebf7d3ef1150b155ae255d8163c94599ccd02d6bde42ac105a6401c2a0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000a5e0e3ea1a874ba48e42b1109193bbff9327c0c302102e8aed8ec935444f8a2e000000000e8000000002000020000000520ea48c6b165d16445999e67bcd2d7e273b2effff336010f48e717a0ab02361900000006f7806944c23ec1cfc52598fb8c48dd4a31b134e06790476b39122e19d52fab2bcf75cfe513d2cfbb2a56bcb6d609bfae4f7f6448079bc4692291054ee7aee11bed3a3153b94b5a25fbeeee9d5941486e8991d9ed5324efa89a91a45fb85657d9973df074bfad7ae390146a20fd1a5080c36ebb92c8fde1495ac5f4707ac60de80fb3bfebebf8cf54190a72707aacc17400000006a482d4cc8af4a7c8730b5fd722081a0159fd8264e15d76d5aa7e59a0882d2a7814cc7fe73e2a85120467bfe5ef2e4366713539d5aad47dcf02d0efcf9797bcd C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F4F8B331-0D35-11EF-8FBA-CEEE273A2359} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 703e0dca42a1da01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\crack.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 2436 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 2436 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 2436 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 2436 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2436 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2436 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2436 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2436 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
PID 2436 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
PID 2436 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
PID 2436 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
PID 2436 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
PID 2436 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
PID 2436 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
PID 2436 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
PID 2604 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2604 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2604 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2604 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2604 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2604 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2604 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2604 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2604 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2604 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2604 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2604 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2604 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 1884 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2704 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2704 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2704 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2400 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2316 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2316 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2316 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2316 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2316 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2316 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2316 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2316 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2316 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2316 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2316 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2400 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2712 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2712 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2712 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2712 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2712 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2712 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe

"C:\Users\Admin\AppData\Local\Temp\Flash USDT Sender.exe"

C:\Users\Admin\AppData\Roaming\crack.exe

"C:\Users\Admin\AppData\Roaming\crack.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe

"C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe"

C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe

"C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp278D.tmp.cmd""

C:\Windows\SysWOW64\timeout.exe

timeout 4

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://satoshibag.xyz/re56g-tether-wallet/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
N/A 127.0.0.1:3389 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 satoshibag.xyz udp
US 8.8.8.8:53 satoshibag.xyz udp
N/A 127.0.0.1:7707 tcp
US 103.224.212.213:80 satoshibag.xyz tcp
US 103.224.212.213:80 satoshibag.xyz tcp
US 8.8.8.8:53 ww25.satoshibag.xyz udp
US 199.59.243.225:80 ww25.satoshibag.xyz tcp
US 199.59.243.225:80 ww25.satoshibag.xyz tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/2436-0-0x0000000074611000-0x0000000074612000-memory.dmp

memory/2436-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/2436-2-0x0000000074610000-0x0000000074BBB000-memory.dmp

\Users\Admin\AppData\Roaming\crack.exe

MD5 9215015740c937980b6b53cee5087769
SHA1 a0bfe95486944f1548620d4de472c3758e95d36a
SHA256 a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA512 5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2

\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe

MD5 8d17fae8b6efcdf310021c21ba21a253
SHA1 5824d9a7e709c2fbff3fe1b77d46ce8da12fb76b
SHA256 2666146118425d99aa65f5b01a0687f3f54007f01d63366c4b945b6dd25f37d7
SHA512 6ebe1e8c5a17ac0d26ff8fb6c8c65d7baf7fc349558ee899ee0586f6b0448b93660f61cc633518ce7449938d6bb862b5fa9e81a03482fbee57c9999269a99997

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

MD5 e7f8c4ea62d6c4ae774f981480c6b232
SHA1 2dad33c36ad472cee4ca8231c723e92bd7033b7d
SHA256 c57f5af415c2e2b4850b6274567ea05841501136b634365c8dc9c19c0a5cd39b
SHA512 f92a03354724834c21c932e2f6933c0afab21d768e7ceedb15699e22bc1a63771f2f91734b902dd8cdb75d2fb7e2be0579c0b826f154a325769a0317c3c1a3c7

\Users\Admin\AppData\Roaming\Flash USDT Sender.exe

MD5 ac7938b542469a1c5bb108fc046ac87b
SHA1 9571a4ab3359b982f0ab33b03e815df8c354b0f3
SHA256 1efd1de7aef995821042509c66121a942c7ee8e004badbb4e14a10b5d7c96292
SHA512 a669d873bfbe176b6e8b365178272b8666eeadc85e74a814c10e0d5217b988d8f11ef94aa495cbd9ad47d63f4483872c3e42e18c9554db7572ef14321682d257

memory/2436-30-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/2592-34-0x0000000001340000-0x000000000134A000-memory.dmp

memory/2904-33-0x0000000000ED0000-0x0000000000F98000-memory.dmp

memory/2604-32-0x0000000000030000-0x0000000000066000-memory.dmp

memory/1884-31-0x0000000000E80000-0x0000000000E88000-memory.dmp

memory/2604-36-0x0000000000580000-0x000000000058A000-memory.dmp

memory/2400-40-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2400-49-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2400-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2400-46-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2400-53-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2400-44-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2400-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2400-42-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp278D.tmp.cmd

MD5 798711a4bdadd9a015b809d59e07f384
SHA1 4cccfc2321bca2b969d54fdf1a5b10674e777e19
SHA256 e9baf61a4302e0aeef614119c038ab31ffdebb6dc86aac3d1826a7e44b6a5fe1
SHA512 568ca629d3c7e72e49e734012d239c52b80771c1ae775ab7ac169278d5eac2196e0647d319c884eab429c98a8709596606fadba1c387252fcb69d925ec1aa183

C:\Users\Admin\AppData\Local\Temp\Cab5347.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar5467.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb1452cbadb3ff5a35bcd0e89b18892b
SHA1 fdde790a79a4f3f08fdad5e24119ce05def8aa79
SHA256 ad6f2f16072de1514ee17a16b3cb37411f4bf8855d48f9edf2c8f3d63e2fb594
SHA512 7b8812ce13a35aee6715d91eaf65147b8f021ac5809dadd9a9318f0c21c5137440622cdae5900060140d8e2f6997588d1dd0372dddfbe4a1f72fd9fabd542309

C:\Users\Admin\AppData\Local\af504c90833bdfb1884cb467bcb35e48\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c2e650609bae686e2f1eb9ce8e17f99
SHA1 38ba82a2acb4e6b85eb3bdd9245aed2a9f5f0c21
SHA256 4ea04f1f21543051eaf4edef659693d9241ab1d538db17c4fa11a406a0ad603f
SHA512 3f4892240fd8149bdf5600359ada1e9912fe55799cb00d2f3ca7e9937a4fb0bab325aba15a350b205cc057669d5b501964a4be4ce2f69e3586fc048aa1155d32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1586ffe55c52c68ecd023fad47edd04b
SHA1 e680ef29273298aa90e87e0ca8e09190f3d8c04a
SHA256 aaea27f4232f16ddcbf95d94640115f99b0cd0a6a999e17f4c0f9d9864b5da3c
SHA512 8b9358e079281569555b02e8fc3f98a0fd26d3a1ca83f07a43eca6ab46c371bcf00f1af6c1224d315663b3ba0dcfcb5c7ea5330c71fd7fca58a5464cdccb157d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfed0051097f8cf65982094ac4a20327
SHA1 fffa3528a7edbc7db72ae07743d5c215c553aff0
SHA256 8e49a93e4c5a9d43668ec2cfe6d50fe007428f285cf6ef5e786975cc4d531307
SHA512 d7f9430b355fedbff017aa43b966dc7751776e6ee7c7325ad2c27c87276e3e74c8cbb2e3d9da360f25082f723c27a1b88f6fea3a96bd690ce8e3eb86683e746f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1ace7849dc1af538c2c8884f22600cc
SHA1 488adfa1dd9f8102815002a08abfc3a97b67825c
SHA256 701dbde924598443556d574bf7a2cf599b26d8a8100e83287542b2413870d12c
SHA512 0ad635788a75bf7127194e4cfce415aff9b9d9678b10577297b655a6d24e367dbbe9ff7fae40df0f743cddccbff2b53823c611b5d913e84b515ae088a6038f7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8815f03c42f507b8fab96717386eb660
SHA1 1a7e503ecda57bffc7f00076c033ffd41baf56ee
SHA256 06d9bae2de5d89df77a542d7d5c262456b16fbb3d7aa5749e542a176be50ec8e
SHA512 cfbd120a5430fb23a9c666851dc8fb1d60b186b8be4745c094ef9035dd5cc4113feaf0089cc26fd4262ff21f0e0a7e63b315bf91ac713011c966cb9e95227d05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e907084d378dfd5c6cfe96d7ea4c6b0e
SHA1 15afc22967fcb6002e60262a04347552783cec6b
SHA256 94489c2757d9b3a7f5e1a2aee152ff8a52492bca0ff7da4a5e1199ee927c1d2b
SHA512 a94a8ac94d061eec0d51e334ce7ff93e904295eab65da7cc9d960a86f880c3726c0b6020a7a4a710b2372e9d99a6bac301510182d5c05b27f651b3a1a1162ed8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 849a38358ab9ffb596b5b31f4541e565
SHA1 e70ed25ee6dc5072e72143047236d06d86992ca1
SHA256 24f1f79fafcedc90f211f5de6a853f04fb6c190e34174f1225c012dbce1bf2ae
SHA512 89af24068e6f69aa7a2d14a6f5f3862a71729050245d58ff074aa5e6390360d6e4e47a86d23ad6a2a63f2d47090775fe63cacc16fdacbe5851ec9aa7e0654bc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ddad66add6e9d162de1a98e4fca4ca09
SHA1 d26176b6a775cee022044fb82724be360d359e3e
SHA256 12aaeb74f98af0a057c179fabd0e60978e3c5a434ad96066de6f285aa69a2cd8
SHA512 ce97dddef8650827c1329984f9f480d5dd461ca02bde8d40da52f6aa95e34cd81d05cc1ac7aef02db7f247e39a0bd2e01fe58ce8f2602bdd2d2d9b9c6508dba5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 429f4272e670d7a171ee2712331a849a
SHA1 9f5ca26dd3f5943443dee6f9831d9816af721053
SHA256 1841d07c4d7aeffcfa4c8c7c443f9e94015455e9392f314b7b23ae6c6fba3d30
SHA512 ea7cc36ed2860388c3d1f36e8d2a512a9c76bc66384429257e0cef64ab3e5671d165dae447f20c29fe29ff9b10e8a1fdadbfdc0cf464553e91b25e990c823d04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2e601b2379840b73b1ab4e41e8d0a44
SHA1 9872a7753ffbe3cd9b70028346902fdaf7910283
SHA256 dfb51547e3b720da0aefdb2515d4145a6589ab85bfb1456d04024961e0eb4b66
SHA512 6af7b500147b993cdf67b4501b2d63112fea251c14d27c1a2e1221099b82acbed1957eb3e73ea9704c3177b2677fb828352baa8008c4300b7a082d571c283199

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10f5dfdbe3828b30eea6448241c0322a
SHA1 de2eb81600e11282c717716ebcdfb29dd337262c
SHA256 04da50df7502b72f018204995284f5b1f43733cc6efeb738e13e32f232da0a0c
SHA512 6f40c64b4938ba6ecb2f1731b701f02a3d1629a0522f9ea3c10cf3e4e6724374b43f0208b610aae069305069e5eb4a2c90ebd1f8d3c3c1f4b844fa1d5392bb6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6225d99f39c5094f4c7cd79c73916d94
SHA1 4be0267c96d4b229e6f8a17c66464b5a3208749d
SHA256 8acb79009f71cb2aaec88f48e3776ac76a437eb30d30720068fef75189ebe02e
SHA512 e0c66952401e755809fef58353fa786e9bb8120d04b46383061f1f3496364a9931b016faa8e54f2862b1c4f81516f8def3b6464a6b293f5e25393fe32638ffb3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40d4a73ec27cceb2f91a611a4e2b0f42
SHA1 4b3e6152cf2cee6698cef2664de2024aab8f0e13
SHA256 877bbe4580942c629e28f522fc7afbdfc6dbe260ab80b3fff5e0054282a32393
SHA512 7629077af7ae2a80d3391a916abc6e508fb80b57145c4c0dcf990b2ca63384ca92934ee023d7931b1f6d2dd0efab33694c0ff789ccccdd45503c93c52294fbf3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f52b68c41a389f1074d5b540d550099d
SHA1 607c940a812f3ae1a10a9cc942f69b6f87917c0f
SHA256 7008534fd3260fb374d374dc60b40e2b93df8ef4851daecb9631f289a4376094
SHA512 aa4b941f2daca128583a505b2ec7bfc2b2c831d54917314d10a554662436a6d1e1b1f4b269d2575a8c028daf33515549ff795a8a0d71c1d338c19c53e340ecd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b466c00da8d3bbe50092a70a72f4c092
SHA1 0d05676bf8d0f30df8db62605494a7b8732b9e56
SHA256 cefdae944aea15f123d2794ce010ab0b40a55f9566a425db4a1f848bab896e58
SHA512 37df5309a7f43b3bc351561e7cce85c7f41ef6cfb560779d5d8017ecefb8675f4dc25e5cd4c0958b669fe4592bb9d70156d98fc020e9f5e96ef66a83a471bb1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2d5156e1a8659f5ebf687dd77ad60b0
SHA1 286c2df12778cb7d8c7d4cc615d7c0c15e6ea43a
SHA256 03cb283f430ddfdd224f483f5a4ee72dd9e0cb2674a6aa4fd7715e0e76aba2e8
SHA512 49d970a6d4629b2faef193cdc90dc2dab69dd9a6435ba69f0019b05c71ac8d025332f6741010e4ed1d0865b4728bcc667b01f5be4d00bafded5943458e492a01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4cefe2e13a0bae3590d3d5f8b07f9435
SHA1 4acbac553792c67269d6da26234c1750c24f5d31
SHA256 f7404adb28acbbeee99c90e5abe46a5eec8be58490bc3b377068f022c8e31e85
SHA512 d5d087bb79adcc20ccb93a514f2838400f025626674615fdd93ab53eba244741aa9368cf901aff3286ac9a3e4485853ad30398beeae31864df52d0f87da67940

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f81c74e99e91d9949f6b13f0f7a3af82
SHA1 e78a56be9cf95862f3af0d1ce66ae36025c1b45c
SHA256 2313dad99493118c1dad4b189aed4457bf7eea97cd0ff607e43f36585a0067a7
SHA512 c7272245a5a62942d8b318dfb39a0c5c1d30d5b9f202823e29f5fdd771cd47e735d5c114d749967ce7bed5cd7f4106504a9413ca793b4d41d343c1fd28d522d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33cd1637fa0decc6731073b4ad18e389
SHA1 6485e77a84b347dd5fdaadabb930d6c3d040a3de
SHA256 ede2e1e6cad37dbd8b039b94a9e911acf935ede18137a7ee83dc255ceb93636b
SHA512 53621aab6604d336ea94dfc982a4efaf14c0076d30dfc3b27be7c052fc366c642dc22b3340443936bb25ae82155cc4efecf5259c3671d9c0359aead7159d359c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5700096b41ebeb8ba583203de7a40b1e
SHA1 1b69b744d1005fc4b2383a6ce00c98ad2663917f
SHA256 068d0cef07bdab306373af360c66e67267180a07a92659f8663280310175b53f
SHA512 97fed716fa9c5f1ac25005fd9cdd4132e856f8b4dfd15dd03570494498a4c98d790627e941cdf2a0170f816eae9439f4b2647dbb51884762e257c708c64ff5a9

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-08 12:24

Reported

2024-05-08 12:26

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cygwin1.dll,#1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cygwin1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cygwin1.dll,#1

Network

N/A

Files

memory/2724-1-0x0000000061000000-0x00000000614F0000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-08 12:24

Reported

2024-05-08 12:27

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cygwin1.dll,#1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2396 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2396 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cygwin1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cygwin1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/2792-0-0x0000000061000000-0x00000000614F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 12:24

Reported

2024-05-08 12:27

Platform

win10v2004-20240419-en

Max time kernel

133s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AgentModule.dll,#1

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Wine C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3652 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3652 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3652 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AgentModule.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AgentModule.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1888-0-0x0000000074870000-0x0000000074CED000-memory.dmp

memory/1888-1-0x0000000077284000-0x0000000077286000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-08 12:24

Reported

2024-05-08 12:27

Platform

win10v2004-20240419-en

Max time kernel

132s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CommonModule.dll,#1

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Wine C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 2540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 2540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 2540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CommonModule.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CommonModule.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/2540-0-0x0000000074E40000-0x0000000075293000-memory.dmp

memory/2540-1-0x0000000077834000-0x0000000077836000-memory.dmp