Analysis Overview
SHA256
2a81763ec0377125d360703185d9f1690c4f3ec8422169f01b80bb63664e7ec9
Threat Level: Known bad
The file 817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.zip was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Stormkitty family
Asyncrat family
StormKitty payload
StormKitty
AsyncRat
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Looks up external IP address via web service
Looks up geolocation information via web service
Resource Forking
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-28 08:21
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 08:21
Reported
2024-06-28 08:22
Platform
win7-20240220-en
Max time kernel
34s
Max time network
16s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\4dc58cc74e204b93f0fed6507a96ee9c\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\4dc58cc74e204b93f0fed6507a96ee9c\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\4dc58cc74e204b93f0fed6507a96ee9c\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\4dc58cc74e204b93f0fed6507a96ee9c\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\4dc58cc74e204b93f0fed6507a96ee9c\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\4dc58cc74e204b93f0fed6507a96ee9c\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe
"C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp |
Files
memory/2968-0-0x000000007423E000-0x000000007423F000-memory.dmp
memory/2968-1-0x0000000000130000-0x0000000000162000-memory.dmp
memory/2968-2-0x0000000074230000-0x000000007491E000-memory.dmp
memory/2968-69-0x0000000074230000-0x000000007491E000-memory.dmp
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/2968-78-0x000000007423E000-0x000000007423F000-memory.dmp
memory/2968-79-0x0000000074230000-0x000000007491E000-memory.dmp
memory/2968-80-0x0000000074230000-0x000000007491E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 08:21
Reported
2024-06-28 08:22
Platform
win10v2004-20240611-en
Max time kernel
23s
Max time network
20s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe
"C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 241.184.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp |
Files
memory/3564-0-0x00000000749AE000-0x00000000749AF000-memory.dmp
memory/3564-1-0x0000000000150000-0x0000000000182000-memory.dmp
memory/3564-2-0x00000000749A0000-0x0000000075150000-memory.dmp
memory/3564-3-0x0000000004BC0000-0x0000000004C26000-memory.dmp
C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\System\Process.txt
| MD5 | 5f05e296421dbdcc7197e77787882de3 |
| SHA1 | b33c585d697d6bebf0d3c28e8c2df3534d4f1d31 |
| SHA256 | 05f53de5c1b817d4e7edc03eb13485a6f0bd2b23a7815aa3d64610886cf8a1f2 |
| SHA512 | a3cfd97a89ef3f06569c56077f9b8b7c0872e894d8b7c188d7043af29827de1978f46fa20583893af881b9b805a38ef08f001b514bd28ac4b053341a2da18536 |
memory/3564-150-0x00000000749A0000-0x0000000075150000-memory.dmp
memory/3564-151-0x0000000005610000-0x00000000056A2000-memory.dmp
memory/3564-152-0x0000000005D60000-0x0000000006304000-memory.dmp
memory/3564-156-0x00000000057D0000-0x00000000057DA000-memory.dmp
C:\Users\Admin\AppData\Local\046b6fa220d7c271e56e5729a34d75e8\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/3564-162-0x00000000749AE000-0x00000000749AF000-memory.dmp
memory/3564-163-0x00000000749A0000-0x0000000075150000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-28 08:21
Reported
2024-06-28 08:22
Platform
macos-20240611-en
Max time kernel
25s
Max time network
28s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe]
/bin/zsh
[/bin/zsh -c /Users/run/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe]
/Users/run/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe
[/Users/run/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.systemsoundserverd]
/usr/sbin/systemsoundserverd
[/usr/sbin/systemsoundserverd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.AudioComponentRegistrar]
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.cloudkeychainproxy3]
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
Network
| Country | Destination | Domain | Proto |
| GB | 51.132.193.104:443 | tcp | |
| GB | 17.250.81.67:443 | tcp | |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | gspe1-ssl.ls.apple.com.edgesuite.net | udp |
| GB | 104.77.118.121:443 | tcp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | a479.dscg4.akamai.net | udp |
| GB | 23.59.171.27:443 | gspe1-ssl.ls.apple.com.edgesuite.net | tcp |
Files
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-28 08:21
Reported
2024-06-28 08:22
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe
[/tmp/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe]