Malware Analysis Report

2024-09-23 00:38

Sample ID 240510-pab67sdc9s
Target BlitzedGrabberV12-main.zip
SHA256 6aae2aa20d7887b26d58aae978d0b4960780498f237a8f7d567d7bab0c52319a
Tags
agilenet stormkitty stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6aae2aa20d7887b26d58aae978d0b4960780498f237a8f7d567d7bab0c52319a

Threat Level: Known bad

The file BlitzedGrabberV12-main.zip was found to be: Known bad.

Malicious Activity Summary

agilenet stormkitty stealer

StormKitty payload

StormKitty

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Program crash

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Checks processor information in registry

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-10 12:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/4920-0-0x00007FFBF7930000-0x00007FFBF7940000-memory.dmp

memory/4920-1-0x00007FFC3794D000-0x00007FFC3794E000-memory.dmp

memory/4920-2-0x00007FFC378B0000-0x00007FFC37AA5000-memory.dmp

memory/4920-3-0x00007FFC378B0000-0x00007FFC37AA5000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win7-20240215-en

Max time kernel

119s

Max time network

121s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main.zip

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

104s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win10v2004-20240226-en

Max time kernel

129s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/4972-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

memory/4972-1-0x0000000000860000-0x0000000000A0C000-memory.dmp

memory/4972-2-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

memory/4972-3-0x0000000005930000-0x0000000005ED4000-memory.dmp

memory/4972-4-0x0000000005460000-0x00000000054F2000-memory.dmp

memory/4972-5-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4972-6-0x0000000005700000-0x000000000570A000-memory.dmp

memory/4972-7-0x0000000005FE0000-0x00000000061D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/4972-15-0x00000000715D0000-0x0000000071607000-memory.dmp

memory/4972-20-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-26-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-38-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-36-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-34-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-32-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-30-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-24-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-22-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-18-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-17-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-28-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-16-0x00000000738E0000-0x0000000073969000-memory.dmp

memory/4972-78-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-76-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-72-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-68-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-66-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-62-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-60-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-58-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-56-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-54-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-52-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-50-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-46-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-40-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-74-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-70-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-64-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-48-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-44-0x0000000005FE0000-0x00000000061CE000-memory.dmp

memory/4972-42-0x0000000005FE0000-0x00000000061CE000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3268 -ip 3268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4268,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3268-0-0x000000007500E000-0x000000007500F000-memory.dmp

memory/3268-1-0x0000000000B80000-0x0000000000BFA000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 552

Network

N/A

Files

memory/2028-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

memory/2028-1-0x0000000000950000-0x00000000009CA000-memory.dmp

memory/2028-2-0x00000000749AE000-0x00000000749AF000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\README.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\md_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\md_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.md C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.md\ = "md_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\md_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\md_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\md_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\README.md

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\README.md

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\README.md"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 0482ffe0e4fb1362a155394dfffb9f3d
SHA1 74e529a454e75c05956b7d50013955ee2abd0ceb
SHA256 15917303c8be792d35f9a74c4f0f3aa876b7b46a3132324b9948b1cb3b01e744
SHA512 5f12dc110b4ab9c3f635767f48f8ce739fca425bafb2fbb8ae553e26dfc78ba00ad9845b4115931029d832e073d026393e44916bb27766c8e6d9759d12c695f7

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win7-20240508-en

Max time kernel

145s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2348 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2348 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2348 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2500 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2500 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2500 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2500 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2348 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe
PID 376 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe
PID 376 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe
PID 376 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EE4.tmp" "c:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\CSC1CEC30DC5B5475EB0CD967E3203485.TMP"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Resources\UltraEmbeddable.exe "Resources\RamonlisTools.exe" "RamonlisTools.exe"

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe

Resources\UltraEmbeddable.exe "Resources\RamonlisTools.exe" "RamonlisTools.exe"

Network

N/A

Files

memory/2348-0-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

memory/2348-1-0x0000000000B80000-0x0000000000D2C000-memory.dmp

memory/2348-3-0x0000000005010000-0x0000000005202000-memory.dmp

memory/2348-2-0x0000000073F80000-0x000000007466E000-memory.dmp

\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/2348-10-0x00000000737A0000-0x00000000737D7000-memory.dmp

memory/2348-12-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-13-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-11-0x0000000073D80000-0x0000000073E00000-memory.dmp

memory/2348-15-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-17-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-19-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-21-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-23-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-25-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-27-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-29-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-31-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-33-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-37-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-39-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-41-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-43-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-45-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-47-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-49-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-51-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-35-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-55-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-63-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-71-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-73-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-69-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-67-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-65-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-61-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-59-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-57-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-53-0x0000000005010000-0x00000000051FE000-memory.dmp

memory/2348-11666-0x0000000073F80000-0x000000007466E000-memory.dmp

memory/2348-11667-0x0000000073F80000-0x000000007466E000-memory.dmp

memory/2348-11668-0x0000000073F80000-0x000000007466E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe.Config

MD5 02bafe634a181de6af59ecfb1a9a7230
SHA1 5fb944dc91a95007795d83f2037cfe42f0d959f0
SHA256 6288699c8a0e00de7329c8f642bc22e6d7ed873f1decd32f05231cf69cac4470
SHA512 3e4dc4ae10bf527b98608883638356a84aa9652707276981458b0d9c58f000b290f24b4fbd1794ef02484ccf5ff43d5b55ab7161f5c9f408f68f7caa0676b362

memory/2348-11676-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

memory/2348-11677-0x0000000073F80000-0x000000007466E000-memory.dmp

memory/2348-11678-0x00000000737A0000-0x00000000737D7000-memory.dmp

memory/2348-11679-0x0000000073F80000-0x000000007466E000-memory.dmp

memory/2348-11680-0x0000000073F80000-0x000000007466E000-memory.dmp

memory/2348-11681-0x0000000005BF0000-0x0000000005D0E000-memory.dmp

memory/2348-11682-0x0000000005260000-0x000000000527A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.cmdline

MD5 9873ad71c44c7e3ae8d84487103d2ad8
SHA1 6a70f11025fcd1c1a942eb389f06ec2627f4144b
SHA256 e33470abf095c917ea6cd7b72a5f11bf1cb9454307614961355d899f4260b356
SHA512 d996dcdb5265d2d9f91cc24757d4160eb988f192f47e867dc6771b2c75e8da901e75c8d86ac14c40e60aa2d18d95a6780990e2b62d023867e7dc02dd32eebe02

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.0.cs

MD5 a1cb03c69a86d1cef3dac4f19d67ffea
SHA1 b59e521d310108de89029fec0590d2e545ec151b
SHA256 81ce5e65958df8d8212efc0a628d075b82dba3bb06a68d11efc4fca94904ea10
SHA512 abbdead8dbde3de797c86ab6276e1b6d71cdb0946678cb89f7bb70b5a14d2f68f788a7364a34c3d203d042ebb29e233877ae38257c1a43a04b8846d13e8ac10e

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.15.cs

MD5 22c3d05f5b44cff89379bf3d07ff43eb
SHA1 afa1651ac289ca98f948b2d16d93e072abef9b66
SHA256 a8b3ed4d742dbfae796a084b72389c9acd3063907ea0a33321a41685b809e302
SHA512 1d53f5e7e244b2c93014a42e2d230315e5bd511f836712478fc88d22345d234ea2c2e35a52b1eab6655b795b707be52ad70fff3c807f598e0e79c06beb0e8c63

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.14.cs

MD5 ab3377ae77b1fb6bd4fc4e43759c0fb1
SHA1 1f4a028dee60daed581b1da60e75634fbfe5eb16
SHA256 dfa6e0a38e5d09adaa87934418f70164ee8ef25aaab8f684bc3927ba3b48945c
SHA512 09fe99bfbf0c9f837dc184ad8300062fc2e21bcd20db7eec5698b51f0e14d3bd58350dd6481e4d16323ff0911bae2ee8d3d5f82f767784fb8c459d8532825e37

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.13.cs

MD5 be7663b9d449f6c7b77516bcb38d0c58
SHA1 b8bfb5d6f0fdb5db2838d5c670412b0cabb66ce0
SHA256 e3c9d1e1db307368a70b6fd8207f142d004daf44362b35898cee274ec273ae47
SHA512 5ca7a9c1ed8772d372a759ed1c81c87ee82666fcfa2eb3888018a022a5832df8be672e9e78b3109d12793451bbfb650b3fc39b981e465118fdae42b3121a7e5d

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.12.cs

MD5 8880357a41551373385287844a1f8b98
SHA1 51376f9305b169be8fe30fc5ab17f11cb15e61b8
SHA256 1dc3dd8fe050adc250d0c92b9e39157f8d2e4d44af58a63fad19768a2560e51c
SHA512 325a6b1f35b0a697032a65ab270371d8f508f3d43618ae797720d4d060dab0c65c636f9bf6633573c2f87ce5f6b3d07b1ea22500fd7749cd708b78eda6ae7b4e

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.11.cs

MD5 04ae3a68161fe97be71f47ebe01cd092
SHA1 a1b92e9e3d6cb90e0ce9b46c96b34afb5f2a1f58
SHA256 49a439c8ef51124dcb4bfe244a3f491b172173e9866f03ab755f77075ca34e5b
SHA512 8e78e531a77279916b46ee8bb02ad0c976b09675bc4fa5b6c225c6dcee8187230257b9699bda647b79674cbfe8ef4ee78a784a3533259ee5b37b6a986c114357

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.10.cs

MD5 6b8b32677e06b2079233f768b62cba17
SHA1 eab30b3358f5ec9fc398ac279534ab3cac841e38
SHA256 62ff5c7aabd650a09ab0e004d35ceb4122b560ad8a97aa21f23d7d422c9c004c
SHA512 adcda4851b4655f163b3160971d74c940c29f4b9452f3df3ec58de444b42c1aaed23427d6eefdb1aa4e8663ed042fa29c3081fa405726e96957bb7dc11c9b40d

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.9.cs

MD5 5b9f372a0acf9fb5b90d7a9a1af91d88
SHA1 d8cccc8cbe97e7ccdf023e4b2021c648f52a145a
SHA256 5e020cbd92f799d779d0fd7c6817e14363ad705e253715290195ea617ec7e978
SHA512 7b2130df3fc3a51c0879073ad1974952856bf2636382190b16916d9749eba2b6df3da332f6a3541999119ee2c797a15715f54f2d2dc6f17cf4cd7494e074cf48

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.8.cs

MD5 67d53263983c9681f631c6b89a39d068
SHA1 cc92fe38309135298262dbbc40b3a7219e133f9c
SHA256 3072b3878e03d859ee50bd3d25e7dec0493c2542b8d8c57596f087416d188aad
SHA512 d5d2a605c5c52f4c0075095bb0eab5aa90041cf7c80c8dd3d51b93ac6fac12de32928666b0675041d96ccb31996d8f6df3bb5492f4cbfb40f30ccae9bf38284e

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.7.cs

MD5 465349320047260b1b7b3ba7424207f1
SHA1 beb35318c1b07f1db7b6809a60d11f524cdc612c
SHA256 85a1cf91e4ac8ad79805f00561ded195147b1cdd20b6b9a99b24335c2fee1bef
SHA512 168196115c858486264aa1721f2963f378d8743d59c113a37540cf9e7fecbbf0db67abecb21e9ac82ea8b4db76957ca7f1c7eab1b30254ee38b54fa7a0df30b9

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.6.cs

MD5 825f882478a2c1437066b183a236b12f
SHA1 90680eefd7fcf2b3244592a3d7652714b8417056
SHA256 24fad61a2b96da2f3c867461efbda3b448b4d9520fc21afea34d345d11450ce8
SHA512 ccc9e2251646bc13c166d8867ae186654e235201535caca0c09721ef43d96e06803c5b1ac89e5e4b0def047a22785bc11fe701e2986f17cd18ec7e0ddc61efb8

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.5.cs

MD5 a1c961e6ecc514cd083ca5a78b65ee4a
SHA1 45c8dd6bdd0ecf2f0de15ac46dbe14d9b432110a
SHA256 1c6dc3335cea66271b2664e27763a489a8c7a512d33bafc1fc5fe96b365374e6
SHA512 8ddd224ba1bfed8ed1121c8de71d716548c67b58ff20255c89383472e1f5bee44e004abf267c5edc8744263a3c84f0198aaaab02a2f401429cef06e929b61341

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.4.cs

MD5 352d6180624651e5e63204b496c425f8
SHA1 a04c3b97c47e45c7c82dca858a0f412a03bf7770
SHA256 325c6b2edabd42db57da63ab71c81cbac37084d970f6abeba016f10fcb62b2c7
SHA512 f6b6c6a7730c84dc2c6dc9152dd5243e974df2474385b1059d8c5c1b473274158fb335d21affefcbe93bab7e8fd7db8d1168839ba1210c7b912c2cd9937509f8

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.3.cs

MD5 c774d493985f78439a8d3d4eefb51ec4
SHA1 145c27b9d54c60d99d7a9e537a809485beb0996d
SHA256 39ea9ecc5a70cb1a96d2ac19c2680d669972b09e93082de80f55744134528fe4
SHA512 3ed9cf0c589ae20e31a852de7ca3400d22f55cd24ae1aa1414253dfcd7d19441147dc221a961f86e998eeaeddce8f58e94530aa8f65a8271c541d0f952e7585b

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.2.cs

MD5 6bd7373e97899b748db753f17019ac92
SHA1 da6f42c0c6e705c043f2e563d2281714065613d4
SHA256 5f87a2cfb7d70d61c6ebf97b172a58c0e961e8226f42561b7bdb5566ea7598a9
SHA512 94539a2188490c82bd036d8265759880dbf6d2bf049214041373444791f98af4051a2aa5ca7071f0fe2d0d8927a4e31479ac5a854e66deb2a4c0462cfd3984fc

\??\c:\Users\Admin\AppData\Local\Temp\skeocaz0\skeocaz0.1.cs

MD5 0ff1482c094460751d73107f122e6deb
SHA1 a2a84554099aaaf52a53a689aee58b91ae394b0f
SHA256 5c9b048ce69f99a8c752bd182ef159871df675b638220954669b0006e5ff4ade
SHA512 fbd8c092afa7aea79ed7ba3cd85c7847c2a2c02fe88a245928ff2e48107d10d14082b1eb2334a631b6135b72b67719848d69bc64ae1bd272bdd628ff9bf02142

\??\c:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\CSC1CEC30DC5B5475EB0CD967E3203485.TMP

MD5 75991e9bcc54a3ff04f7ecc46d310fa7
SHA1 71b854c71cd2345adbfc2691dd6520ae4d66fbc6
SHA256 6d42dade9d0939911722454b97bcf2f639ca77a653a60615cf1dadbb0c43a427
SHA512 b896f456cd58e6a80f067a61bd4e0a5268247b6d7043868fb5291f71be98c9ddeffbfec945f5d3d9af8f10e3be41bfa0ea6f7b82057e0073c06f84c94ce8e890

C:\Users\Admin\AppData\Local\Temp\RES3EE4.tmp

MD5 0582643c4bacc5102a001720e0d5f42f
SHA1 b75b8fde9cec5778b26194dbd81ae629f62d9f80
SHA256 d7085903c0fd2c52188141fb468db29fc73590c20de9ca2da87bfd5811cb05b9
SHA512 91e8f302283baf9b8026c5d508c47cdac7c2cfa174787a835f1a695f412bc90ca40e44e8ad6ba2010d76801d3a9fff89125bd9740a546bfe4d9e05c02df69964

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\RamonlisTools.exe

MD5 13d934a28f6d853c33acafec693c0ae4
SHA1 abf9479953a5547e5febb3306f3dc325f502c84c
SHA256 3ccf0111a326f4b3ebbfd217e6874518fe9a3821325549567e7561b52962aff8
SHA512 8930aa62b11b64b04ee74b829edc66a93309fee08bb630dd5ca76f817a0b493c2e5e648903dddb16ad9f3650406669614ce81310b0ed9290cd3cb7747818a232

memory/1588-11737-0x00000000010E0000-0x000000000115A000-memory.dmp

memory/1588-11738-0x0000000000EF0000-0x000000000102E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\RamonlisTools.exe

MD5 a479959c9e37449707708c47cfd1694e
SHA1 899482fe451186bf554704b43d347c1490515139
SHA256 b0988ae366c7727bb4d878d438f1afa2596140c9fd74ef312153ecde3ea45cac
SHA512 e125e8c7b6573568185872d8a0407d9a4ba67a4692401717713b37ae109a7385ea98d05f29ed50ec1c8fe3e08ecf4c42c460634ab8d17a04b6b20333920a9e5b

memory/2348-11741-0x0000000005EA0000-0x0000000005EA8000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win7-20240221-en

Max time kernel

133s

Max time network

129s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a700000000002000000000010660000000100002000000014a5852d56442329dc73771deffece577d096ddf7189370d75dc35e23a4af3f6000000000e80000000020000200000004b9259ac5a00eaa88646d0a8bb186245d445157dc2a4e46eda30a7d3c45ab92320000000d38dfde4193fd184125c93b1ec0d4bf00c91345404056809783eda3b159d9f2f40000000211e96f1e54973256040abeadad5ee51d86b6e98e4d5ec863124c28a312d93d311859d9c02edb519ea1f3fb6ddd29f12e8b5bc24fbe58c5acc41804663fab77b C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a70000000000200000000001066000000010000200000000cf9ac8f6f48f3fb7595d66fe238a83e99995121fa72f6f2732ed25844f45469000000000e800000000200002000000071db36c7d7390460a8ceb4007461605f3246fc97c937cc781bba1efc54c1e9d49000000092a69d6e135eb7f2e5f0953ed82bbc4dd7f4deef04d675fee451ff7e83311dabd2c6ad7c2ead0367650bb930605d3d4e849a3ee66cdb7a90979a401a3d33a1eed28470a11b80736601728bb54c2c007891eef897cc0d053a9ca6ab6650d4e234908aa0635ff828e78f4ad388064aa8d02360432b8b66e3d9659c9f50f5d229ff768060ae7681e8e3456355b0c62d6a3440000000339b92d4eddaa8cdb1947a43f0accae848e05c97d00ce1dd73cc63ebaca2d8cec0e6485b80abe990e66d7d1475e28e2f2f2f0bbcd3edb5205c33f62a41fb6490 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302306b9d2a2da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421504725" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E4852D31-0EC5-11EF-82E1-DE62917EBCA6} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 1728 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2176 wrote to memory of 1728 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2176 wrote to memory of 1728 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2176 wrote to memory of 1728 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1728 wrote to memory of 1612 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 1612 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 1612 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 1612 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1612 wrote to memory of 2612 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1612 wrote to memory of 2612 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1612 wrote to memory of 2612 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1612 wrote to memory of 2612 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1612 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab2905.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 415ca7457a33dd34769e9dc2b6781420
SHA1 a448f76e0112a297b491857ca59c2358dbb235de
SHA256 aed2a8e2d3a1c153d5fd88cfb2bbd1c69e45efec48e9583194b676bd375d5e4b
SHA512 44198f835e78ed904603d5e279e69c234b1c570fd66fd3b9fad8c2d824bd36ae944add70658bb17f4731f55a126a69f1c357343ecdb5b7815a792cb5b39b219d

C:\Users\Admin\AppData\Local\Temp\Tar29E8.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 950a1b687e7942e6e2707f5ccaead4a6
SHA1 6c4398598834f4317b5d19bf8d27bf5cbca2fabc
SHA256 5250e68f1b5b170307e193a908f1914c12418f86c0f5c8470ef388b142b7a617
SHA512 64e8c55623ee15f7df29e0c2ee81944d3caade0fb314f70b80ead8bb5fe4499cb63889c8f61ee662142e718da5e17b78f6cf105d897fae14e4b651e41bba527b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0095f48a647245c5a4217f7aec90446d
SHA1 f2bd5c35f5e33b3891a5787ed669d08a201fade7
SHA256 e06d1e238a96ef1c6c78e5f0acb746a0449fec78521e472142b722e908da86a1
SHA512 448719462d242964257bc9cc5c34634afe45719afb364d8b9dab74f39c47b0fd220f7b89812d617fd8926134b6a89029cff116a8b65a29d2784aed78e22a0f41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7453a688862a1f401327eebd1c7801b
SHA1 deacdcc589e6410b5fbc664c0ced2cbdf6099fd1
SHA256 354edc5ffee1cb7183d14013f55f7494ed5b45a6060d1f0e94f952b83b6249a4
SHA512 b8cdedfb8672843f3a28f8d31564cf400fad95c122a18f8e08292fc600e725647ba57636a03c088e760a82e1e03c1757fee917906f5aaf114b9453d3ddd4bb0a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 422b508775a40f8924334570a87409c5
SHA1 3a3422d512406748efaf1ec77251432cc7d35865
SHA256 7b613c68b4fa67dcd8d65579121e5376e2a9fc509d64bd829bd16856fdd50566
SHA512 6c82c63600df1ce1d04464caaa6d6676a1c829fd4fd3da054ba8d1f0a270d5e0cc80649115a4df15ec0b2bc76db3523b2516ce93bef744eb281c1d9bfba4a1e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b089a57f5bdac7bc01b85ed01ec3c2ba
SHA1 90a6a03d0a2f59234ee77b85fb2db06a46eab8f8
SHA256 8e4e085c104b97677eb164888ef05063e74c6484793f9d1e98069182bd0c0200
SHA512 1c9818d38f33f658d6e1d4cea0de1e0c38d31b42136ebb26680feaa56e27a0f19fa6885e0eea9a114a89946d43ea3b8054dbef50b8012291ddec87136aa862da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbab5507ce4e579eaa927119540bbca1
SHA1 7bbd06d3657fe79b08431e9414e4c7219abc0b43
SHA256 74113a58a320ed24ae9f01534de30f53c4327b260bce138eb785bc9cd378bc05
SHA512 a6ece019f67ddb3f6419cbc3879742f6d54c44a6be34262ef58d243413c3ca781ad146b6de7210f6b0822a034a9d5c0fe61da49444e88d95a35c40cc3f6b88d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45cfc4ca576b379047aa243ec8169af0
SHA1 5b3ec208d798f5f125bb511639915fa729e31185
SHA256 fd836eff2cece87af3bc6f18fceaf183efe1f80e4e4bb4e61e751026d76e01e5
SHA512 d05d8c2db8860e711307fa8e0846cd6690c4319830fc4afb96a16a6d669262e4be85c27abf4630e7f4882f6fab1269fb99d49079326f004fe99a9af441f987ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2cd356642947a721ed5d6afbce0c2507
SHA1 f28c4e4b3876f7a9c9a67ffad31ce2f7ab89fb8d
SHA256 47ffe4738e81db16b2c9812a30966bd1c0a07d39d65dacd301bf54141ad4c5e6
SHA512 d8cdc5a65321d587e59148f3a04db5c7072fffb895291b396811d3da88755e5af3fe7e0cc7b1d646563f9aa79ea099ee5b55d2f339ec8448a81e73c40c51843d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1827691deca5c5f41d55d265dae26314
SHA1 541ab0f2640f4f3b5a34eeb8776f9865aab61160
SHA256 70896c688c015a6d6f375158a6151f66f0af55cd19c6d681cd8f3f6365c6fdcf
SHA512 dea58e7bb6954d883915613686008128457ca855c521780595e92e54cb5620c33fc6d8bd780fc5eb6985f923ab1ae468c4c0870ce74fb0b5b80b963ee7a9084b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97e6a18bccc4aa00e4d5cd854a6d5333
SHA1 f2877a39e26c944c0e4b108e6293f5c549c88171
SHA256 957881fbf50574adccda6500f3e2cabb775829d6dc65b629f33f3165f3d299a4
SHA512 24b9bd956e751693244c04d237439e8e199caf9204b34d8a62fc6e2687d8358b0649b13b9acd3e3e6d251357b5d5ae096370f90f7232044988a9ee4aa8341841

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2776ea0a330b923550d6bacd50450104
SHA1 6f41a8603e725c2955775fd668555164b8db7dfc
SHA256 afda11a21355267d1f2413128e47bf7cbec25802a05c04af046a9064b05349d4
SHA512 eba6ed78085d87a9caf6911ad87484880ff0f35eca35510a47311e3bc571555987a33217ad928baa24579cdf91467b00ca367a23ff5aba35047c5722326f34ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd37ed2020fc294f8fbf34de4008660d
SHA1 753ec84035e8877be2ee12ac54b1a9b01ea415d4
SHA256 781d8233e50f960bc61fd85d40e841b3dfdf533c2bca08de1b140f745a15453f
SHA512 6705cbada7d6924521bfd4a04eb6507bfeff83b8b855ed8c35f68857974df10dcf45b70acec4876c5569e72b1dd8334f7d0e5b2983c65ef4ab2c16bf6aa975b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f133aacd7c35d5495b59e18a6c1c360
SHA1 a15f4ee0d2da5352b7cd8e95171af60e4ca0db5d
SHA256 c498ab31e3e4455c377066c509c04ba8ea2502e47da5e919e302ab9332c3d641
SHA512 c393349e96ceae788917ff8d2005042afd58932bfd2c9e2e7f838911d9bb1228314b0a107f9973f922f89b0b2b34683a6801e8a5f21d2b61d4e03f79f545a580

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa0aefc3ffa7f479d4405193e012f5f1
SHA1 091b4e66b984e49f55fcafd03942d3afec5640fb
SHA256 afce175362570805933251bb05eae58a2a4fedf974a82f3f87cb538afcbf8033
SHA512 56e7fe9a487dd1db780a2510b7eed40af66aaa39948ab21b61f0832e4ff226ff37f2f426a9ffd02b4e5a28e876eba20e9b614b8d773472256fb1bce8e43b112d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90f38f82ae913837cb9d45953ed610f0
SHA1 ddf278edaf20aea50ff9780d5b03ada8249cc36b
SHA256 44715f864e23686998278b20eb26de9738fe6d038b7a1fcdcfddbbfb73d568c2
SHA512 954eb80a7ba944b27bafdad352fc99484d3ae39cf90c9dd67dcd835a051ec1c3326df6e729ab7657fd9d54f909fea0ee18978c292d95f64c52df06c29ba06e59

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2700e3da59938c4873b3d65e91d3a8e
SHA1 ba5bc13edab9db870686be1e39954b49aca709d9
SHA256 41d2d69f95a6c4be98facc9ba3f8e44e45edca28556c7bf451cd8fd67a863492
SHA512 44cfddbb114a34be7cd8ee907bab0b0834ee11180bfb503b803584adb071c7f90606c974c8fd249334f78c4d2203b3fca399fa3ed0fbede63904634373a4cce3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9814048b8b00308fc6f7adaeb8d0664
SHA1 9ab3d6c40ddb659be2b247e71f87b61f537f1c89
SHA256 efefa8e88540ede381c1b0b2acb26cc833cac082a616996ee80171ac7ab47e89
SHA512 f8c8746d235eeda8c81e32fd2f4d7e843397c07f869bff3c8ce736b959a36a30411159db4197cf7c56e98d10587b34381d81698393547cec22a7ef9f3b288932

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\APIFOR.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\APIFOR.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\APIFOR.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\APIFOR.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-10 12:07

Reported

2024-05-10 12:10

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\README.md

Signatures

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\md_auto_file C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\md_auto_file\shell\Read C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\md_auto_file\shell C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\md_auto_file\shell\Read\command C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.md C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.md\ = "md_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\囄ᨀ谀耎 C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\囄ᨀ谀耎\ = "md_auto_file" C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 3384 N/A C:\Windows\system32\OpenWith.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 3520 wrote to memory of 3384 N/A C:\Windows\system32\OpenWith.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 3520 wrote to memory of 3384 N/A C:\Windows\system32\OpenWith.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 3384 wrote to memory of 1212 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3384 wrote to memory of 1212 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3384 wrote to memory of 1212 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 2040 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1212 wrote to memory of 4608 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\README.md

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\README.md"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A02B2F141707F67B0FB0EF6F67D9DC6F --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B91B6B8F99A8CADA00B0AB77551F0C32 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B91B6B8F99A8CADA00B0AB77551F0C32 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8B1A799CBD2B962C95E3541E9C6E65B2 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0B55A46F6BBE0BA81DAC9310E20AFE3A --mojo-platform-channel-handle=1972 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=504A02A29083EE08A155A91730402D1A --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 156.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 151.16.21.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 ebf89f3c34c2a59f6e74a6c8d1bdb397
SHA1 575e22a098427f2c99d1fa8ef5c5f884983cecca
SHA256 f5dc5975db7bf4a0b86dfe1c840d9a648f9c101c9582d7bca37a0d65bf0740be
SHA512 b01aabcb01bc3a14261c1582b6a8ff25b7fbe03c11aa8e2f3ff93065df355c285d5490af6f8c8b6742508e0c3754dcaa579e2c9a5d99010832803eaa7f359c34

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 3585d53b04059122d9fe18f11b226260
SHA1 c284d4733949d10082d35e0a9f219039c561f06b
SHA256 705a22be99a6e43cc33adf814f05d0ed34acbe9f975ccaff841fb352400fa96d
SHA512 5b9173b27d05d379f8cd790d4e09a87b742757731d5d57cfefbca80daa356f53785ec86eb7f44e2dc0531d92469d100ffa9a4bd8880a3cec48bfb1f5649993f0