Malware Analysis Report

2024-09-22 23:44

Sample ID 240518-bw6faadg69
Target a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45
SHA256 a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45
Tags
asyncrat stormkitty default persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45

Threat Level: Known bad

The file a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45 was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default persistence rat spyware stealer

StormKitty payload

AsyncRat

StormKitty

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many VPN software clients. Observed in infosteslers

Detects executables referencing Discord tokens regular expressions

Detects executables referencing credit card regular expressions

Detects executables containing URLs to raw contents of a Github gist

Detects executables with interest in wireless interface using netsh

Detects executables using Telegram Chat Bot

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects file containing reversed ASEP Autorun registry keys

Loads dropped DLL

Executes dropped EXE

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Looks up geolocation information via web service

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-18 01:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 01:30

Reported

2024-05-18 01:33

Platform

win7-20240508-en

Max time kernel

146s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Discord tokens regular expressions

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing credit card regular expressions

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many VPN software clients. Observed in infosteslers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables using Telegram Chat Bot

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables with interest in wireless interface using netsh

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BbNpQCTyLP = "C:\\Users\\Admin\\AppData\\Roaming\\QrNCGfAyDz\\DcDJLimAFT.exe" C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate.exe" C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\R4TQUSL42.0.exe\" .." C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\2fe999847867821a77d7d27190c5447e\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\2fe999847867821a77d7d27190c5447e\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\2fe999847867821a77d7d27190c5447e\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\2fe999847867821a77d7d27190c5447e\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\2fe999847867821a77d7d27190c5447e\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2704 set thread context of 2804 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
PID 2024 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
PID 2024 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
PID 2024 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
PID 2024 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2024 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2024 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2024 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2024 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
PID 2024 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
PID 2024 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
PID 2024 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
PID 2024 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
PID 2024 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
PID 2024 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
PID 2024 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
PID 2704 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2704 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2704 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2704 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2704 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2704 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2704 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2704 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2704 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2704 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2704 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2704 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2704 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2804 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2304 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2304 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2304 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2304 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2304 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2304 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2304 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2304 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2304 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2304 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2304 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2804 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2312 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2312 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2312 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2312 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2312 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2312 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2312 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe

"C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe"

C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe

"C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe

"C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe"

C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe

"C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.80:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/2024-0-0x0000000074631000-0x0000000074632000-memory.dmp

memory/2024-2-0x0000000074630000-0x0000000074BDB000-memory.dmp

memory/2024-3-0x0000000074630000-0x0000000074BDB000-memory.dmp

\Users\Admin\AppData\Roaming\AdobeUpdate.exe

MD5 bb2f6ec73b6646fb1d674763a060b42b
SHA1 dbdaed5d56e6a54bdefc352a12f8436a73c3cd9d
SHA256 0f5c554a665e05341d97ffbe3b7facbcb2043e50d079457fc54cd762cdeb11de
SHA512 9df8a285a80a8d1a6ea43163cd32dba72a8ee3bfbc96cc4a96917a60b9fd07a13da8c7abac41052db1b263e64dd5acf62820cbafad685d36e3c9ae3f607c56f8

\Users\Admin\AppData\Roaming\Microsoft Edge.exe

MD5 e7f8c4ea62d6c4ae774f981480c6b232
SHA1 2dad33c36ad472cee4ca8231c723e92bd7033b7d
SHA256 c57f5af415c2e2b4850b6274567ea05841501136b634365c8dc9c19c0a5cd39b
SHA512 f92a03354724834c21c932e2f6933c0afab21d768e7ceedb15699e22bc1a63771f2f91734b902dd8cdb75d2fb7e2be0579c0b826f154a325769a0317c3c1a3c7

\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe

MD5 081247dd185e8d1a9d8aaf745fe103ca
SHA1 24cc30dd55d0519a9b2561243ddb55512824e7c7
SHA256 b5f56facdbb2d5ae278eb31ff16a226b73da97afd62d385b2798e949d12b54c3
SHA512 ad2600dcafecfbc0473db9011f8d3969a1d1a2ac8affd1fc1430145c6b0c21ce9ade1a2e208ef808b05ca421706800839ed618486e3a421b8d14762736631c27

\Users\Admin\AppData\Roaming\Flash USDT Sender.exe

MD5 ac7938b542469a1c5bb108fc046ac87b
SHA1 9571a4ab3359b982f0ab33b03e815df8c354b0f3
SHA256 1efd1de7aef995821042509c66121a942c7ee8e004badbb4e14a10b5d7c96292
SHA512 a669d873bfbe176b6e8b365178272b8666eeadc85e74a814c10e0d5217b988d8f11ef94aa495cbd9ad47d63f4483872c3e42e18c9554db7572ef14321682d257

memory/2024-29-0x0000000074630000-0x0000000074BDB000-memory.dmp

memory/2744-31-0x0000000001070000-0x0000000001138000-memory.dmp

memory/2704-30-0x0000000000330000-0x0000000000366000-memory.dmp

memory/1864-32-0x00000000013A0000-0x00000000013A8000-memory.dmp

memory/2704-35-0x00000000003E0000-0x00000000003EA000-memory.dmp

memory/2804-48-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2804-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2804-50-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2804-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2804-45-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2804-43-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2804-41-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2804-39-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\2fe999847867821a77d7d27190c5447e\Admin@UOTHCPHQ_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\Temp\Cab6542.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar65B2.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8cd7def910eb763d8ce42e97d86c5d4
SHA1 7d86521cd5a15327cc538faf7a985f2954ea4537
SHA256 82dc25a7aa4c2c13b5d11c774ef43858ba4005447beb6401f8ae08ab8e4131b0
SHA512 de3e8c1a1a987627a673def8697485ed6801b4b4859cbfaa9040925dfd3d8d6a59fe811885280099134625ad433273328fc5e3e9e757d4b197da26edf8b9fa4b

C:\Users\Admin\AppData\Local\ed7cccb5b00bc48b099c27aa13cdebb9\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 01:30

Reported

2024-05-18 01:33

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing Discord tokens regular expressions

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing credit card regular expressions

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many VPN software clients. Observed in infosteslers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables using Telegram Chat Bot

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables with interest in wireless interface using netsh

Description Indicator Process Target
N/A N/A N/A N/A

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate.exe" C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BbNpQCTyLP = "C:\\Users\\Admin\\AppData\\Roaming\\QrNCGfAyDz\\DcDJLimAFT.exe" C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\R4TQUSL42.0.exe\" .." C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
File created C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3604 set thread context of 2072 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3568 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
PID 3568 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
PID 3568 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 3568 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 3568 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 3568 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
PID 3568 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
PID 3568 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
PID 3568 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
PID 3568 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe
PID 3604 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 3604 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 3604 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 3604 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 3604 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 3604 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 3604 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 3604 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 3604 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 3604 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 3604 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
PID 2072 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3056 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3056 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3056 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3056 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3056 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3056 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3056 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3056 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2072 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2412 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2412 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2412 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2412 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2412 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe

"C:\Users\Admin\AppData\Local\Temp\a6945022a177e2c032559092d2dcd81807c79e9204370448e9416dd8b670df45.exe"

C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe

"C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe

"C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe"

C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe

"C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/3568-0-0x0000000074D22000-0x0000000074D23000-memory.dmp

memory/3568-1-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/3568-3-0x0000000074D20000-0x00000000752D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe

MD5 bb2f6ec73b6646fb1d674763a060b42b
SHA1 dbdaed5d56e6a54bdefc352a12f8436a73c3cd9d
SHA256 0f5c554a665e05341d97ffbe3b7facbcb2043e50d079457fc54cd762cdeb11de
SHA512 9df8a285a80a8d1a6ea43163cd32dba72a8ee3bfbc96cc4a96917a60b9fd07a13da8c7abac41052db1b263e64dd5acf62820cbafad685d36e3c9ae3f607c56f8

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe

MD5 e7f8c4ea62d6c4ae774f981480c6b232
SHA1 2dad33c36ad472cee4ca8231c723e92bd7033b7d
SHA256 c57f5af415c2e2b4850b6274567ea05841501136b634365c8dc9c19c0a5cd39b
SHA512 f92a03354724834c21c932e2f6933c0afab21d768e7ceedb15699e22bc1a63771f2f91734b902dd8cdb75d2fb7e2be0579c0b826f154a325769a0317c3c1a3c7

C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe

MD5 081247dd185e8d1a9d8aaf745fe103ca
SHA1 24cc30dd55d0519a9b2561243ddb55512824e7c7
SHA256 b5f56facdbb2d5ae278eb31ff16a226b73da97afd62d385b2798e949d12b54c3
SHA512 ad2600dcafecfbc0473db9011f8d3969a1d1a2ac8affd1fc1430145c6b0c21ce9ade1a2e208ef808b05ca421706800839ed618486e3a421b8d14762736631c27

memory/1348-35-0x00007FFF98773000-0x00007FFF98775000-memory.dmp

memory/1348-36-0x0000000000820000-0x0000000000828000-memory.dmp

C:\Users\Admin\AppData\Roaming\Flash USDT Sender.exe

MD5 ac7938b542469a1c5bb108fc046ac87b
SHA1 9571a4ab3359b982f0ab33b03e815df8c354b0f3
SHA256 1efd1de7aef995821042509c66121a942c7ee8e004badbb4e14a10b5d7c96292
SHA512 a669d873bfbe176b6e8b365178272b8666eeadc85e74a814c10e0d5217b988d8f11ef94aa495cbd9ad47d63f4483872c3e42e18c9554db7572ef14321682d257

memory/3604-48-0x0000000071EFE000-0x0000000071EFF000-memory.dmp

memory/4356-52-0x00000000010D0000-0x00000000010E0000-memory.dmp

memory/3568-53-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/3604-55-0x0000000000FD0000-0x0000000001006000-memory.dmp

memory/2004-57-0x0000000000410000-0x00000000004D8000-memory.dmp

memory/2004-58-0x0000000004D70000-0x0000000004E0C000-memory.dmp

memory/3604-56-0x0000000005F10000-0x00000000064B4000-memory.dmp

memory/2004-60-0x0000000004EB0000-0x0000000004F42000-memory.dmp

memory/4356-61-0x000000001B6A0000-0x000000001B73C000-memory.dmp

memory/4356-59-0x000000001BD20000-0x000000001C1EE000-memory.dmp

memory/4356-63-0x000000001C2B0000-0x000000001C356000-memory.dmp

memory/3604-64-0x0000000005850000-0x000000000585A000-memory.dmp

memory/2004-67-0x0000000004F50000-0x0000000004FA6000-memory.dmp

memory/2072-70-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4356-72-0x00000000011B0000-0x00000000011B8000-memory.dmp

memory/2004-66-0x0000000004D50000-0x0000000004D5A000-memory.dmp

memory/2072-74-0x0000000005110000-0x0000000005176000-memory.dmp

C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\53532227903e56703b337a3b1a511f4d\Admin@BVRKIPTS_en-US\System\Process.txt

MD5 a120a045903534a9ac3a2b56568a1ac8
SHA1 bdccb77c9348909de2119eacd007f7d85157a0b1
SHA256 f61e646a5bc0e0a3356380be9d0f3ed75fad15973674e3abd00d25b9d0d5142d
SHA512 6d1de9f05c1b3e201567f8140edbb4e994e655c49ed9873e7e3b77d5fe250d29583b39d107567f3ed5997a7dcb1045bb31ea27d45e1bd345a4c5e8b9a2d5f269

memory/2072-235-0x0000000005DA0000-0x0000000005DAA000-memory.dmp

C:\Users\Admin\AppData\Local\7ce91980f70991cbf16131561505ee32\msgid.dat

MD5 7cc9c2cd526bc6d81fa20e994dcac2c4
SHA1 76ef18ff2c312c1c48619e071c9330424a8dd7f9
SHA256 53dec92c63e0135a6a824f38c38beddec7652b4f0a1e45973649dde5740afa0c
SHA512 9faeafe8b9b4131dfbc67cde6eafa341a30921240ada4ed4351008d49b48b3b5cea42e38a25e5aaab2f825f0a928055e55648f666b9000463c2026c9d28d55af

memory/2072-241-0x0000000005E50000-0x0000000005E62000-memory.dmp

memory/4356-266-0x00000000010D0000-0x00000000010E0000-memory.dmp