Analysis Overview
SHA256
a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45
Threat Level: Known bad
The file a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45 was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
AsyncRat
StormKitty
Detects executables referencing Windows vault credential objects. Observed in infostealers
Detects executables referencing many VPN software clients. Observed in infosteslers
Detects executables referencing Discord tokens regular expressions
Detects executables referencing credit card regular expressions
Detects executables containing URLs to raw contents of a Github gist
Detects executables with interest in wireless interface using netsh
Detects executables using Telegram Chat Bot
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Detects file containing reversed ASEP Autorun registry keys
Loads dropped DLL
Executes dropped EXE
Drops startup file
Checks computer location settings
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Looks up geolocation information via web service
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-18 01:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 01:30
Reported
2024-05-18 01:33
Platform
win7-20240508-en
Max time kernel
146s
Max time network
133s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing Discord tokens regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing Windows vault credential objects. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing credit card regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many VPN software clients. Observed in infosteslers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables using Telegram Chat Bot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables with interest in wireless interface using netsh
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects file containing reversed ASEP Autorun registry keys
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BbNpQCTyLP = "C:\\Users\\Admin\\AppData\\Roaming\\QrNCGfAyDz\\DcDJLimAFT.exe" | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate.exe" | C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\R4TQUSL42.0.exe\" .." | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\2fe999847867821a77d7d27190c5447e\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\2fe999847867821a77d7d27190c5447e\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\2fe999847867821a77d7d27190c5447e\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\2fe999847867821a77d7d27190c5447e\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\2fe999847867821a77d7d27190c5447e\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2704 set thread context of 2804 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe
"C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe"
C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
"C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe"
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"
C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
"C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe"
C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
"C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe"
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.80:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp |
Files
memory/2024-0-0x0000000074631000-0x0000000074632000-memory.dmp
memory/2024-2-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/2024-3-0x0000000074630000-0x0000000074BDB000-memory.dmp
\Users\Admin\AppData\Roaming\AdobeUpdate.exe
| MD5 | bb2f6ec73b6646fb1d674763a060b42b |
| SHA1 | dbdaed5d56e6a54bdefc352a12f8436a73c3cd9d |
| SHA256 | 0f5c554a665e05341d97ffbe3b7facbcb2043e50d079457fc54cd762cdeb11de |
| SHA512 | 9df8a285a80a8d1a6ea43163cd32dba72a8ee3bfbc96cc4a96917a60b9fd07a13da8c7abac41052db1b263e64dd5acf62820cbafad685d36e3c9ae3f607c56f8 |
\Users\Admin\AppData\Roaming\Microsoft Edge.exe
| MD5 | e7f8c4ea62d6c4ae774f981480c6b232 |
| SHA1 | 2dad33c36ad472cee4ca8231c723e92bd7033b7d |
| SHA256 | c57f5af415c2e2b4850b6274567ea05841501136b634365c8dc9c19c0a5cd39b |
| SHA512 | f92a03354724834c21c932e2f6933c0afab21d768e7ceedb15699e22bc1a63771f2f91734b902dd8cdb75d2fb7e2be0579c0b826f154a325769a0317c3c1a3c7 |
\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
| MD5 | 081247dd185e8d1a9d8aaf745fe103ca |
| SHA1 | 24cc30dd55d0519a9b2561243ddb55512824e7c7 |
| SHA256 | b5f56facdbb2d5ae278eb31ff16a226b73da97afd62d385b2798e949d12b54c3 |
| SHA512 | ad2600dcafecfbc0473db9011f8d3969a1d1a2ac8affd1fc1430145c6b0c21ce9ade1a2e208ef808b05ca421706800839ed618486e3a421b8d14762736631c27 |
\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
| MD5 | ac7938b542469a1c5bb108fc046ac87b |
| SHA1 | 9571a4ab3359b982f0ab33b03e815df8c354b0f3 |
| SHA256 | 1efd1de7aef995821042509c66121a942c7ee8e004badbb4e14a10b5d7c96292 |
| SHA512 | a669d873bfbe176b6e8b365178272b8666eeadc85e74a814c10e0d5217b988d8f11ef94aa495cbd9ad47d63f4483872c3e42e18c9554db7572ef14321682d257 |
memory/2024-29-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/2744-31-0x0000000001070000-0x0000000001138000-memory.dmp
memory/2704-30-0x0000000000330000-0x0000000000366000-memory.dmp
memory/1864-32-0x00000000013A0000-0x00000000013A8000-memory.dmp
memory/2704-35-0x00000000003E0000-0x00000000003EA000-memory.dmp
memory/2804-48-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2804-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2804-50-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2804-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2804-45-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2804-43-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2804-41-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2804-39-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\2fe999847867821a77d7d27190c5447e\Admin@UOTHCPHQ_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\Temp\Cab6542.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar65B2.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8cd7def910eb763d8ce42e97d86c5d4 |
| SHA1 | 7d86521cd5a15327cc538faf7a985f2954ea4537 |
| SHA256 | 82dc25a7aa4c2c13b5d11c774ef43858ba4005447beb6401f8ae08ab8e4131b0 |
| SHA512 | de3e8c1a1a987627a673def8697485ed6801b4b4859cbfaa9040925dfd3d8d6a59fe811885280099134625ad433273328fc5e3e9e757d4b197da26edf8b9fa4b |
C:\Users\Admin\AppData\Local\ed7cccb5b00bc48b099c27aa13cdebb9\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 01:30
Reported
2024-05-18 01:33
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing Discord tokens regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing Windows vault credential objects. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing credit card regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many VPN software clients. Observed in infosteslers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables using Telegram Chat Bot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables with interest in wireless interface using netsh
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects file containing reversed ASEP Autorun registry keys
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate.exe" | C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BbNpQCTyLP = "C:\\Users\\Admin\\AppData\\Roaming\\QrNCGfAyDz\\DcDJLimAFT.exe" | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\R4TQUSL42.0.exe\" .." | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3604 set thread context of 2072 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe
"C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe"
C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
"C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe"
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"
C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
"C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe"
C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
"C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe"
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 241.184.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 66.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp |
Files
memory/3568-0-0x0000000074D22000-0x0000000074D23000-memory.dmp
memory/3568-1-0x0000000074D20000-0x00000000752D1000-memory.dmp
memory/3568-3-0x0000000074D20000-0x00000000752D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
| MD5 | bb2f6ec73b6646fb1d674763a060b42b |
| SHA1 | dbdaed5d56e6a54bdefc352a12f8436a73c3cd9d |
| SHA256 | 0f5c554a665e05341d97ffbe3b7facbcb2043e50d079457fc54cd762cdeb11de |
| SHA512 | 9df8a285a80a8d1a6ea43163cd32dba72a8ee3bfbc96cc4a96917a60b9fd07a13da8c7abac41052db1b263e64dd5acf62820cbafad685d36e3c9ae3f607c56f8 |
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
| MD5 | e7f8c4ea62d6c4ae774f981480c6b232 |
| SHA1 | 2dad33c36ad472cee4ca8231c723e92bd7033b7d |
| SHA256 | c57f5af415c2e2b4850b6274567ea05841501136b634365c8dc9c19c0a5cd39b |
| SHA512 | f92a03354724834c21c932e2f6933c0afab21d768e7ceedb15699e22bc1a63771f2f91734b902dd8cdb75d2fb7e2be0579c0b826f154a325769a0317c3c1a3c7 |
C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
| MD5 | 081247dd185e8d1a9d8aaf745fe103ca |
| SHA1 | 24cc30dd55d0519a9b2561243ddb55512824e7c7 |
| SHA256 | b5f56facdbb2d5ae278eb31ff16a226b73da97afd62d385b2798e949d12b54c3 |
| SHA512 | ad2600dcafecfbc0473db9011f8d3969a1d1a2ac8affd1fc1430145c6b0c21ce9ade1a2e208ef808b05ca421706800839ed618486e3a421b8d14762736631c27 |
memory/1348-35-0x00007FFF98773000-0x00007FFF98775000-memory.dmp
memory/1348-36-0x0000000000820000-0x0000000000828000-memory.dmp
C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
| MD5 | ac7938b542469a1c5bb108fc046ac87b |
| SHA1 | 9571a4ab3359b982f0ab33b03e815df8c354b0f3 |
| SHA256 | 1efd1de7aef995821042509c66121a942c7ee8e004badbb4e14a10b5d7c96292 |
| SHA512 | a669d873bfbe176b6e8b365178272b8666eeadc85e74a814c10e0d5217b988d8f11ef94aa495cbd9ad47d63f4483872c3e42e18c9554db7572ef14321682d257 |
memory/3604-48-0x0000000071EFE000-0x0000000071EFF000-memory.dmp
memory/4356-52-0x00000000010D0000-0x00000000010E0000-memory.dmp
memory/3568-53-0x0000000074D20000-0x00000000752D1000-memory.dmp
memory/3604-55-0x0000000000FD0000-0x0000000001006000-memory.dmp
memory/2004-57-0x0000000000410000-0x00000000004D8000-memory.dmp
memory/2004-58-0x0000000004D70000-0x0000000004E0C000-memory.dmp
memory/3604-56-0x0000000005F10000-0x00000000064B4000-memory.dmp
memory/2004-60-0x0000000004EB0000-0x0000000004F42000-memory.dmp
memory/4356-61-0x000000001B6A0000-0x000000001B73C000-memory.dmp
memory/4356-59-0x000000001BD20000-0x000000001C1EE000-memory.dmp
memory/4356-63-0x000000001C2B0000-0x000000001C356000-memory.dmp
memory/3604-64-0x0000000005850000-0x000000000585A000-memory.dmp
memory/2004-67-0x0000000004F50000-0x0000000004FA6000-memory.dmp
memory/2072-70-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4356-72-0x00000000011B0000-0x00000000011B8000-memory.dmp
memory/2004-66-0x0000000004D50000-0x0000000004D5A000-memory.dmp
memory/2072-74-0x0000000005110000-0x0000000005176000-memory.dmp
C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\System\Process.txt
| MD5 | a120a045903534a9ac3a2b56568a1ac8 |
| SHA1 | bdccb77c9348909de2119eacd007f7d85157a0b1 |
| SHA256 | f61e646a5bc0e0a3356380be9d0f3ed75fad15973674e3abd00d25b9d0d5142d |
| SHA512 | 6d1de9f05c1b3e201567f8140edbb4e994e655c49ed9873e7e3b77d5fe250d29583b39d107567f3ed5997a7dcb1045bb31ea27d45e1bd345a4c5e8b9a2d5f269 |
memory/2072-235-0x0000000005DA0000-0x0000000005DAA000-memory.dmp
C:\Users\Admin\AppData\Local\7ce91980f70991cbf16131561505ee32\msgid.dat
| MD5 | 7cc9c2cd526bc6d81fa20e994dcac2c4 |
| SHA1 | 76ef18ff2c312c1c48619e071c9330424a8dd7f9 |
| SHA256 | 53dec92c63e0135a6a824f38c38beddec7652b4f0a1e45973649dde5740afa0c |
| SHA512 | 9faeafe8b9b4131dfbc67cde6eafa341a30921240ada4ed4351008d49b48b3b5cea42e38a25e5aaab2f825f0a928055e55648f666b9000463c2026c9d28d55af |
memory/2072-241-0x0000000005E50000-0x0000000005E62000-memory.dmp
memory/4356-266-0x00000000010D0000-0x00000000010E0000-memory.dmp