Malware Analysis Report

2024-09-23 00:22

Sample ID 240508-plwpzscd3x
Target FlashBTC core 2024 Full Edition.zip
SHA256 2a4aee03d0e31745e786611470be3ad45d8c9f35b141f6e364542ab3ca6f5519
Tags
asyncrat stormkitty default persistence rat spyware stealer execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a4aee03d0e31745e786611470be3ad45d8c9f35b141f6e364542ab3ca6f5519

Threat Level: Known bad

The file FlashBTC core 2024 Full Edition.zip was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default persistence rat spyware stealer execution

AsyncRat

StormKitty

StormKitty payload

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Looks up geolocation information via web service

Drops desktop.ini file(s)

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

Unsigned PE

Modifies system certificate store

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: SetClipboardViewer

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-08 12:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 12:25

Reported

2024-05-08 12:32

Platform

win10v2004-20240419-en

Max time kernel

145s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1XDHRO6P4.5.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1XDHRO6P4.5.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BbNpQCTyLP = "C:\\Users\\Admin\\AppData\\Roaming\\QrNCGfAyDz\\DcDJLimAFT.exe" C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate.exe" C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\1XDHRO6P4.5.exe\" .." C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\R4TQUSL42.0.exe\" .." C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2980 set thread context of 3116 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\crack.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 668 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 668 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 668 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 668 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 668 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 668 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 668 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
PID 668 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
PID 2980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2980 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 668 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe
PID 668 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe
PID 668 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe
PID 1912 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
PID 1912 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
PID 1912 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
PID 1912 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
PID 1532 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1476 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1476 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3116 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1808 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1808 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1808 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1808 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1808 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1808 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1808 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1808 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3116 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4880 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4880 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4880 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4880 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4880 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe"

C:\Users\Admin\AppData\Roaming\crack.exe

"C:\Users\Admin\AppData\Roaming\crack.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe

"C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe

"C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe"

C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe

"C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe"

C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe

"C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp685F.tmp.cmd""

C:\Windows\SysWOW64\timeout.exe

timeout 4

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 127.0.0.1:3389 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp

Files

memory/668-0-0x00000000751D2000-0x00000000751D3000-memory.dmp

memory/668-1-0x00000000751D0000-0x0000000075781000-memory.dmp

memory/668-2-0x00000000751D0000-0x0000000075781000-memory.dmp

C:\Users\Admin\AppData\Roaming\crack.exe

MD5 9215015740c937980b6b53cee5087769
SHA1 a0bfe95486944f1548620d4de472c3758e95d36a
SHA256 a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA512 5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

MD5 e7f8c4ea62d6c4ae774f981480c6b232
SHA1 2dad33c36ad472cee4ca8231c723e92bd7033b7d
SHA256 c57f5af415c2e2b4850b6274567ea05841501136b634365c8dc9c19c0a5cd39b
SHA512 f92a03354724834c21c932e2f6933c0afab21d768e7ceedb15699e22bc1a63771f2f91734b902dd8cdb75d2fb7e2be0579c0b826f154a325769a0317c3c1a3c7

C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe

MD5 8d17fae8b6efcdf310021c21ba21a253
SHA1 5824d9a7e709c2fbff3fe1b77d46ce8da12fb76b
SHA256 2666146118425d99aa65f5b01a0687f3f54007f01d63366c4b945b6dd25f37d7
SHA512 6ebe1e8c5a17ac0d26ff8fb6c8c65d7baf7fc349558ee899ee0586f6b0448b93660f61cc633518ce7449938d6bb862b5fa9e81a03482fbee57c9999269a99997

memory/2980-40-0x00000000723AE000-0x00000000723AF000-memory.dmp

memory/3576-39-0x00007FFCA3FB3000-0x00007FFCA3FB5000-memory.dmp

memory/1532-38-0x00000000723AE000-0x00000000723AF000-memory.dmp

memory/3576-41-0x0000029946860000-0x000002994686A000-memory.dmp

memory/1532-42-0x0000000000070000-0x0000000000078000-memory.dmp

memory/2980-43-0x0000000000490000-0x00000000004C6000-memory.dmp

memory/2980-44-0x0000000005250000-0x00000000057F4000-memory.dmp

memory/2980-46-0x0000000004D90000-0x0000000004E22000-memory.dmp

memory/2980-47-0x0000000004F60000-0x0000000004FFC000-memory.dmp

memory/2980-49-0x0000000004D20000-0x0000000004D2A000-memory.dmp

memory/3116-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/668-67-0x00000000751D0000-0x0000000075781000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe.log

MD5 a5dcc7c9c08af7dddd82be5b036a4416
SHA1 4f998ca1526d199e355ffb435bae111a2779b994
SHA256 e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5
SHA512 56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe

MD5 bb2f6ec73b6646fb1d674763a060b42b
SHA1 dbdaed5d56e6a54bdefc352a12f8436a73c3cd9d
SHA256 0f5c554a665e05341d97ffbe3b7facbcb2043e50d079457fc54cd762cdeb11de
SHA512 9df8a285a80a8d1a6ea43163cd32dba72a8ee3bfbc96cc4a96917a60b9fd07a13da8c7abac41052db1b263e64dd5acf62820cbafad685d36e3c9ae3f607c56f8

C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe

MD5 081247dd185e8d1a9d8aaf745fe103ca
SHA1 24cc30dd55d0519a9b2561243ddb55512824e7c7
SHA256 b5f56facdbb2d5ae278eb31ff16a226b73da97afd62d385b2798e949d12b54c3
SHA512 ad2600dcafecfbc0473db9011f8d3969a1d1a2ac8affd1fc1430145c6b0c21ce9ade1a2e208ef808b05ca421706800839ed618486e3a421b8d14762736631c27

memory/4380-90-0x00000000003C0000-0x00000000003C8000-memory.dmp

memory/444-94-0x000000001BAC0000-0x000000001BB5C000-memory.dmp

memory/444-91-0x000000001C130000-0x000000001C5FE000-memory.dmp

memory/444-96-0x000000001C700000-0x000000001C7A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp685F.tmp.cmd

MD5 9a04ca91ecc0f633d40cfb7bce019502
SHA1 49afccf1469626f6f6557e04f887ea2904bbbd1c
SHA256 ea664967abbcac44480ee89c24549a5f0fb088008d5f52bb7de2aa14ebb0ed07
SHA512 22f91da6156b004858ce6ce914f5e607629e12e395cd6d6a70ad378e9dc527059a30134122aa999d2e9f69301db2b8f86906bab3de15810bbab64b603aab00c5

memory/444-98-0x00000000013D0000-0x00000000013D8000-memory.dmp

memory/3116-100-0x0000000005200000-0x0000000005266000-memory.dmp

C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\System\Process.txt

MD5 4f43a74b245aa370e8b37c70eeacfcc7
SHA1 b1b891846db29032f8c9687f5d173a6220c83ac3
SHA256 f2853a1ae023f4cbef11ee88108eede2b50d92c2be59c56437ff39eba566bb8e
SHA512 55c02cc0e2046563cf5c604ebb0a4cf602e32a67b9b2e03ada40f4c02d0edcbdb589aa5832cb5a0ec52f3fceacdc3329a8cbeb2c492dce77ac9ea60c50c8a765

memory/3116-268-0x0000000005EA0000-0x0000000005EAA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk

MD5 3ed327d4ce8aaab5cddda9bd667147d8
SHA1 0edd65c69aa3562d79c1028957beb7d8c76370a3
SHA256 025632bc09d31d651cabeb41f989d006b33ee49e9df43248f5310949cc58fcfa
SHA512 f541a387bb18c1e231d25acab1eebc98de55a1d86f11f5b759fb50187b1357897be5ae12fd3095890b79286a207c21c67086170db305634388c40a59689fdbd6

C:\Users\Admin\AppData\Local\fef01719289d6c9a40f97f935e5890f1\msgid.dat

MD5 be527e944a7f140a0288cad9ac818fc5
SHA1 fc350a28c9f9e0251bf229466e5797a5f7e74839
SHA256 229ad98c757f1191de326602ba9e8037ec1d79beaad26d3ebc5ddcd4ada7e251
SHA512 a5820c63b7591e794d8959206aa35f345050366c057c53c77fc20bdd36a0caab9cc9f24eb449905f3a6abe01cabad1eebb75f2baf8f511f4aeadf50b935b2912

memory/3116-278-0x0000000005F30000-0x0000000005F42000-memory.dmp

memory/3576-303-0x00007FFCA3FB3000-0x00007FFCA3FB5000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-08 12:25

Reported

2024-05-08 12:32

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Recover Shell Script.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Recover Shell Script.js"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-08 12:25

Reported

2024-05-08 12:32

Platform

win7-20231129-en

Max time kernel

122s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MessagingToolkit.QRCode.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MessagingToolkit.QRCode.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-08 12:25

Reported

2024-05-08 12:33

Platform

win10v2004-20240226-en

Max time kernel

128s

Max time network

171s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\QRCoder.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\QRCoder.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-08 12:25

Reported

2024-05-08 12:32

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Recover Shell Script.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Recover Shell Script.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-08 12:25

Reported

2024-05-08 12:32

Platform

win7-20240221-en

Max time kernel

119s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fr\Microsoft.VisualBasic.PowerPacks.Vs.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fr\Microsoft.VisualBasic.PowerPacks.Vs.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 12:25

Reported

2024-05-08 12:31

Platform

win7-20240221-en

Max time kernel

65s

Max time network

23s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1XDHRO6P4.5.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1XDHRO6P4.5.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BbNpQCTyLP = "C:\\Users\\Admin\\AppData\\Roaming\\QrNCGfAyDz\\DcDJLimAFT.exe" C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate.exe" C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\1XDHRO6P4.5.exe\" .." C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\R4TQUSL42.0.exe\" .." C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\26cdbef624bc3fba77aea56cd1553792\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\26cdbef624bc3fba77aea56cd1553792\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\26cdbef624bc3fba77aea56cd1553792\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\26cdbef624bc3fba77aea56cd1553792\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\26cdbef624bc3fba77aea56cd1553792\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\26cdbef624bc3fba77aea56cd1553792\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\26cdbef624bc3fba77aea56cd1553792\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2576 set thread context of 2696 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\crack.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 2060 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 2060 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 2060 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 2060 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2060 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2060 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2060 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2060 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
PID 2060 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
PID 2060 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
PID 2060 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2060 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe
PID 2060 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe
PID 2060 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe
PID 2060 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe
PID 2464 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
PID 2464 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
PID 2464 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
PID 2464 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
PID 2464 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
PID 2464 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
PID 2464 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
PID 2464 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
PID 1648 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 1168 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1168 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1168 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1168 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2696 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 1472 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1472 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1472 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1472 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1472 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1472 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1472 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1472 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1472 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1472 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1472 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1472 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2696 wrote to memory of 108 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 108 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 108 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 108 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 108 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 108 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 108 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe"

C:\Users\Admin\AppData\Roaming\crack.exe

"C:\Users\Admin\AppData\Roaming\crack.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe

"C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe

"C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe"

C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe

"C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe"

C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe

"C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3A71.tmp.cmd""

C:\Windows\SysWOW64\timeout.exe

timeout 4

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
N/A 127.0.0.1:3389 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/2060-0-0x0000000074CA1000-0x0000000074CA2000-memory.dmp

memory/2060-1-0x0000000074CA0000-0x000000007524B000-memory.dmp

memory/2060-2-0x0000000074CA0000-0x000000007524B000-memory.dmp

\Users\Admin\AppData\Roaming\crack.exe

MD5 9215015740c937980b6b53cee5087769
SHA1 a0bfe95486944f1548620d4de472c3758e95d36a
SHA256 a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA512 5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2

\Users\Admin\AppData\Roaming\Microsoft Edge.exe

MD5 e7f8c4ea62d6c4ae774f981480c6b232
SHA1 2dad33c36ad472cee4ca8231c723e92bd7033b7d
SHA256 c57f5af415c2e2b4850b6274567ea05841501136b634365c8dc9c19c0a5cd39b
SHA512 f92a03354724834c21c932e2f6933c0afab21d768e7ceedb15699e22bc1a63771f2f91734b902dd8cdb75d2fb7e2be0579c0b826f154a325769a0317c3c1a3c7

C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe

MD5 8d17fae8b6efcdf310021c21ba21a253
SHA1 5824d9a7e709c2fbff3fe1b77d46ce8da12fb76b
SHA256 2666146118425d99aa65f5b01a0687f3f54007f01d63366c4b945b6dd25f37d7
SHA512 6ebe1e8c5a17ac0d26ff8fb6c8c65d7baf7fc349558ee899ee0586f6b0448b93660f61cc633518ce7449938d6bb862b5fa9e81a03482fbee57c9999269a99997

memory/2576-24-0x0000000001120000-0x0000000001156000-memory.dmp

memory/1648-23-0x0000000001290000-0x0000000001298000-memory.dmp

memory/2612-25-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

memory/2576-27-0x00000000005B0000-0x00000000005BA000-memory.dmp

memory/2696-29-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2696-31-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2696-35-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2696-40-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2696-42-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2696-38-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2696-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2696-33-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2060-55-0x0000000074CA0000-0x000000007524B000-memory.dmp

\Users\Admin\AppData\Roaming\AdobeUpdate.exe

MD5 bb2f6ec73b6646fb1d674763a060b42b
SHA1 dbdaed5d56e6a54bdefc352a12f8436a73c3cd9d
SHA256 0f5c554a665e05341d97ffbe3b7facbcb2043e50d079457fc54cd762cdeb11de
SHA512 9df8a285a80a8d1a6ea43163cd32dba72a8ee3bfbc96cc4a96917a60b9fd07a13da8c7abac41052db1b263e64dd5acf62820cbafad685d36e3c9ae3f607c56f8

memory/2736-65-0x00000000011C0000-0x00000000011C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe

MD5 081247dd185e8d1a9d8aaf745fe103ca
SHA1 24cc30dd55d0519a9b2561243ddb55512824e7c7
SHA256 b5f56facdbb2d5ae278eb31ff16a226b73da97afd62d385b2798e949d12b54c3
SHA512 ad2600dcafecfbc0473db9011f8d3969a1d1a2ac8affd1fc1430145c6b0c21ce9ade1a2e208ef808b05ca421706800839ed618486e3a421b8d14762736631c27

C:\Users\Admin\AppData\Local\Temp\tmp3A71.tmp.cmd

MD5 e62514a52244df3258fb221ad17a918d
SHA1 1f08ab9680f05ae54a7a74535d0ba8b98e2cee02
SHA256 1fa921ffdef9e3c3f31ad9790b880b6864eaa29b67125c0c4ec06d1b95840d34
SHA512 d788ace562d479f5c5cccab9acb5f5cb86bc6ef8ff905dec5f51975acfb0ab8c7e59074bc73b2f63e77188a7b5730e9260072a12d3ed57b1b476a5e772f70d0c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk

MD5 4441676aa95904e452ed0def6b15328b
SHA1 05bc279bb85cb57a4610b35aae7a6d2e2170664f
SHA256 c9caac7b92b6f4c3ae1f733446f9abeb5755a88cd7c2be698a0e40c5da8a1fda
SHA512 2341b979ced3bf9f0d1cbefcecfded5b43bc51869e9cf1580e8390ed7fec02fa93799589e2efcbd70512008bcce6ad640afb358ab86cca0e07da17a838a71524

C:\Users\Admin\AppData\Local\Temp\Cab6561.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar6633.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd74aca7b52f72b37e35a3284f5a3ca6
SHA1 807603ae5089defa777364c011937e7c739492fe
SHA256 7e894391cd4fdff563d2df2026aaa874006d07cff5d6b9edb821bc421b52b577
SHA512 3a419201cedccd774880b1ac9062395ce954fca9595689cac513d83c1fef3e4c3977f75d154215768010a3f14df3f78843c00f46b65d83f8443b6f6e520fed67

C:\Users\Admin\AppData\Local\af504c90833bdfb1884cb467bcb35e48\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-08 12:25

Reported

2024-05-08 12:32

Platform

win10v2004-20240419-en

Max time kernel

134s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MessagingToolkit.QRCode.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MessagingToolkit.QRCode.dll,#1

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-08 12:25

Reported

2024-05-08 12:32

Platform

win10v2004-20240419-en

Max time kernel

132s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.VisualBasic.PowerPacks.Vs.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.VisualBasic.PowerPacks.Vs.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-08 12:25

Reported

2024-05-08 12:32

Platform

win7-20240220-en

Max time kernel

122s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\QRCoder.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\QRCoder.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-08 12:25

Reported

2024-05-08 12:32

Platform

win10v2004-20240419-en

Max time kernel

145s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fr\Microsoft.VisualBasic.PowerPacks.Vs.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fr\Microsoft.VisualBasic.PowerPacks.Vs.resources.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-08 12:25

Reported

2024-05-08 12:32

Platform

win7-20240221-en

Max time kernel

118s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.VisualBasic.PowerPacks.Vs.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.VisualBasic.PowerPacks.Vs.dll,#1

Network

N/A

Files

N/A