Malware Analysis Report

2024-09-23 02:52

Sample ID 240709-1m8xgszala
Target FLASH USDT SENDER.exe
SHA256 22e8da397dee6cd3c9cca6d64c9c767dbd044001d549b25150fb2e464e621ec4
Tags
asyncrat stormkitty xworm default persistence privilege_escalation rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22e8da397dee6cd3c9cca6d64c9c767dbd044001d549b25150fb2e464e621ec4

Threat Level: Known bad

The file FLASH USDT SENDER.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty xworm default persistence privilege_escalation rat spyware stealer trojan

StormKitty

StormKitty payload

Detect Xworm Payload

AsyncRat

Xworm

Async RAT payload

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-09 21:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 21:47

Reported

2024-07-09 21:57

Platform

win10v2004-20240709-en

Max time kernel

598s

Max time network

598s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe"

Signatures

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\windows security.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk C:\Users\Admin\AppData\Roaming\windows security.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk C:\Users\Admin\AppData\Roaming\windows security.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender SecurityService = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender SecurityService" C:\Users\Admin\AppData\Roaming\windows security.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\crack.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 1596 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 1596 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 1596 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1596 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1596 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1596 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\windows security.exe
PID 1596 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\windows security.exe
PID 1596 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe
PID 1596 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe
PID 1596 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe
PID 640 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Roaming\windows security.exe C:\Windows\System32\schtasks.exe
PID 640 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Roaming\windows security.exe C:\Windows\System32\schtasks.exe
PID 4952 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 4296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3512 wrote to memory of 4296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3512 wrote to memory of 4296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3336 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3776 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3776 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3776 wrote to memory of 444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3776 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3776 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3776 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3336 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2084 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2084 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2084 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2084 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2084 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe

"C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe"

C:\Users\Admin\AppData\Roaming\crack.exe

"C:\Users\Admin\AppData\Roaming\crack.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Roaming\windows security.exe

"C:\Users\Admin\AppData\Roaming\windows security.exe"

C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe

"C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender SecurityService" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender SecurityService"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA9EC.tmp.cmd""

C:\Windows\SysWOW64\timeout.exe

timeout 4

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 146.70.34.130:7812 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:3389 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/1596-0-0x00007FFE135C3000-0x00007FFE135C5000-memory.dmp

memory/1596-1-0x0000000000560000-0x000000000085C000-memory.dmp

C:\Users\Admin\AppData\Roaming\crack.exe

MD5 9215015740c937980b6b53cee5087769
SHA1 a0bfe95486944f1548620d4de472c3758e95d36a
SHA256 a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA512 5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 bf0258700fe3cba1282f8d366730283c
SHA1 b666e0d8f243feec6f7c9b2dfbdbe8580d9c5f23
SHA256 ba3768d532d7b4c9e2e1dea80f1b77d6915304e37a31b2f611895b54a709554a
SHA512 15e86c289cc85ddc01d9190ee9cb1cd7a7c48986a7ee2ec3336642723160b0fbe59bf4b73d703f88c2c6575c61453adfd2a9a3f8ca431fa979b2fdc6fa72284f

C:\Users\Admin\AppData\Roaming\windows security.exe

MD5 6cc2340c1306dca521b47a51ce488633
SHA1 047fdcfa7c4b349a74fbd9621db9da04406ba921
SHA256 cc6677190c144f17b6cd8b15861a200b455a662c4112c6bcc79fdcf0ad50d517
SHA512 10b2e19942268357cfd7a198d6b02dde13aadf10458bbdfc9f178968937329d7bafdc721ac794d705eb8427f95642a010e3ffb3ed7be05f2d50065752fda64e2

memory/640-35-0x0000000000930000-0x0000000000940000-memory.dmp

C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe

MD5 b7d1773c7e805e0c141e9b078b8a08e9
SHA1 dfae7bd2a1d082726a9e4cb766741b29a50b4e10
SHA256 5233bb99327b627da8114e43f4de4afec77c1ee188ac93171e4651f872f809eb
SHA512 b3a620413b9f6de8d883b0793dda33d0179ec855445f47de9515fa7f08d7b9ebf166457b3402a2c2fa0277e95fb9c959cf0cbdc61e364f977ddeb0f1b676ed07

memory/3336-49-0x0000000000920000-0x000000000095E000-memory.dmp

memory/640-48-0x00007FFE135C0000-0x00007FFE14081000-memory.dmp

memory/4952-51-0x0000000000C50000-0x0000000000C58000-memory.dmp

memory/3724-50-0x00000000009D0000-0x0000000000C4C000-memory.dmp

memory/3724-52-0x0000000005640000-0x0000000005886000-memory.dmp

memory/3724-53-0x0000000005920000-0x00000000059BC000-memory.dmp

memory/3724-54-0x00000000070A0000-0x0000000007644000-memory.dmp

memory/3724-55-0x0000000006AF0000-0x0000000006B82000-memory.dmp

memory/3724-57-0x0000000006D20000-0x0000000006D76000-memory.dmp

memory/3724-56-0x00000000058D0000-0x00000000058DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA9EC.tmp.cmd

MD5 a3b491587cb0848b11fccfae02f61298
SHA1 85336b00f24246df06b742c8adf487db30c07fc9
SHA256 0da8533566b3e370d1ae6e759834cc4f317dc0f7392a9e66fb0f611c0a14a567
SHA512 226ddab3669fa98890b6a12c9f477fc791537da968ae17748d8d8daeab5d530cf18aa447ea057f7382986064985665952862325c55b103dfc26abbfbec23eac5

memory/3336-65-0x00000000056F0000-0x0000000005756000-memory.dmp

C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\System\Process.txt

MD5 38c3b4b093d0f3723a2eecdd42235772
SHA1 931d4cd2bc965264c87a457ce656afa2474f3da8
SHA256 9908b1f810a166d14c68aa5edee2c3ccd9fc7f80f5f7e65ea1e84842da413285
SHA512 5866cf44cfadd82fdf280fdccf68924589bc59b58c0865743fa149c1f32b421d9bfb4019c9f43087aed5884bc8786175a865353aeada40f86d5221647c643934

memory/3336-217-0x0000000006350000-0x000000000635A000-memory.dmp

C:\Users\Admin\AppData\Local\bc838b1e8e9e75a1bafee61d9e16f712\msgid.dat

MD5 72e7386cdcbea6f2518dc5c1cc189456
SHA1 e61084dddd503547a4ba5589839b1755a2e638fe
SHA256 eaa3694b9d80f950078167557333000d734e8f560fc35a1f6f2c29daebafe57a
SHA512 5b7af94bd30f063ac2765bf0adae7c5946752ed8c8347f088e71d8c42f046b0eee232f5d6b8030688b744538457333a4ebdf07015af81917a83ba517cb7f0b8b

C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/3336-223-0x00000000063E0000-0x00000000063F2000-memory.dmp

memory/640-248-0x00007FFE135C0000-0x00007FFE14081000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 21:47

Reported

2024-07-09 21:57

Platform

win11-20240709-en

Max time kernel

599s

Max time network

602s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe"

Signatures

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk C:\Users\Admin\AppData\Roaming\windows security.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk C:\Users\Admin\AppData\Roaming\windows security.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender SecurityService = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender SecurityService" C:\Users\Admin\AppData\Roaming\windows security.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\crack.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windows security.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5848 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 5848 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 5848 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\crack.exe
PID 5848 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 5848 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 5848 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 5848 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\windows security.exe
PID 5848 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\windows security.exe
PID 5848 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe
PID 5848 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe
PID 5848 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe
PID 5860 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 5860 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 5860 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\crack.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2152 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2152 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1556 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\windows security.exe C:\Windows\System32\schtasks.exe
PID 1556 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\windows security.exe C:\Windows\System32\schtasks.exe
PID 656 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3140 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3140 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3140 wrote to memory of 5496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3140 wrote to memory of 5496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3140 wrote to memory of 5496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3140 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3140 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3140 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 656 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4848 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4848 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4848 wrote to memory of 5844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4848 wrote to memory of 5844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4848 wrote to memory of 5844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe

"C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe"

C:\Users\Admin\AppData\Roaming\crack.exe

"C:\Users\Admin\AppData\Roaming\crack.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Roaming\windows security.exe

"C:\Users\Admin\AppData\Roaming\windows security.exe"

C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe

"C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpABEF.tmp.cmd""

C:\Windows\SysWOW64\timeout.exe

timeout 4

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender SecurityService" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender SecurityService"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:3389 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 146.70.34.130:7812 tcp
US 104.16.184.241:80 icanhazip.com tcp
US 172.67.196.114:443 api.mylnikov.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
US 146.70.34.130:7812 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
US 146.70.34.130:7812 tcp

Files

memory/5848-0-0x00007FFD0E0B3000-0x00007FFD0E0B5000-memory.dmp

memory/5848-1-0x0000000000940000-0x0000000000C3C000-memory.dmp

C:\Users\Admin\AppData\Roaming\crack.exe

MD5 9215015740c937980b6b53cee5087769
SHA1 a0bfe95486944f1548620d4de472c3758e95d36a
SHA256 a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA512 5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 bf0258700fe3cba1282f8d366730283c
SHA1 b666e0d8f243feec6f7c9b2dfbdbe8580d9c5f23
SHA256 ba3768d532d7b4c9e2e1dea80f1b77d6915304e37a31b2f611895b54a709554a
SHA512 15e86c289cc85ddc01d9190ee9cb1cd7a7c48986a7ee2ec3336642723160b0fbe59bf4b73d703f88c2c6575c61453adfd2a9a3f8ca431fa979b2fdc6fa72284f

C:\Users\Admin\AppData\Roaming\windows security.exe

MD5 6cc2340c1306dca521b47a51ce488633
SHA1 047fdcfa7c4b349a74fbd9621db9da04406ba921
SHA256 cc6677190c144f17b6cd8b15861a200b455a662c4112c6bcc79fdcf0ad50d517
SHA512 10b2e19942268357cfd7a198d6b02dde13aadf10458bbdfc9f178968937329d7bafdc721ac794d705eb8427f95642a010e3ffb3ed7be05f2d50065752fda64e2

memory/1556-35-0x0000000000290000-0x00000000002A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe

MD5 b7d1773c7e805e0c141e9b078b8a08e9
SHA1 dfae7bd2a1d082726a9e4cb766741b29a50b4e10
SHA256 5233bb99327b627da8114e43f4de4afec77c1ee188ac93171e4651f872f809eb
SHA512 b3a620413b9f6de8d883b0793dda33d0179ec855445f47de9515fa7f08d7b9ebf166457b3402a2c2fa0277e95fb9c959cf0cbdc61e364f977ddeb0f1b676ed07

memory/1556-44-0x00007FFD0E0B0000-0x00007FFD0EB72000-memory.dmp

memory/5860-47-0x00000000003C0000-0x00000000003C8000-memory.dmp

memory/656-50-0x00000000007A0000-0x00000000007DE000-memory.dmp

memory/2492-51-0x00000000006B0000-0x000000000092C000-memory.dmp

memory/2492-52-0x00000000053C0000-0x0000000005606000-memory.dmp

memory/2492-53-0x00000000056A0000-0x000000000573C000-memory.dmp

memory/2492-54-0x0000000006E20000-0x00000000073C6000-memory.dmp

memory/2492-55-0x0000000006910000-0x00000000069A2000-memory.dmp

memory/2492-56-0x0000000006880000-0x000000000688A000-memory.dmp

memory/2492-57-0x0000000006AA0000-0x0000000006AF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpABEF.tmp.cmd

MD5 b2b10a7747d361324d957f3bb5de69d1
SHA1 7e8c16dada7b79cf14cb8859da6e1093fdd945df
SHA256 d58c245db634311c3940e2e27f50ffbb93e68153218bbc696aa136b7b143ba18
SHA512 8c7f5147397ef5947b29267a2bac23bd562dff9d2adec4c963158256ef4cd4f7b160e2a6093d59ef9d1143af220e94dfb5ef4d8267954e4a2d4644add5156cfb

memory/656-63-0x0000000005870000-0x00000000058D6000-memory.dmp

C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\System\Process.txt

MD5 4790503f99029569815d3cc93d63b48c
SHA1 66dcb14f14c0b1529e011ea9b74f4d40a4c0c922
SHA256 ed68e35817030503d82f50e07adb831974a28e8231cd5a21a238c33fd6d65bca
SHA512 2cc8f61164168ff295bf00107f9e3bb6e2fb14ebe302dd9dbb3e23442fc35d2a5642529c510681088e3c76ee79bb81f397068624f9df7b4da45364df79c3b705

memory/656-211-0x00000000063A0000-0x00000000063AA000-memory.dmp

C:\Users\Admin\AppData\Local\29eb23550e208a74a9f0aeaee60bbdd7\msgid.dat

MD5 b56a134da854862c93e9a26b7fb5505c
SHA1 0c38060ffc75acc9c6462b5099253292e477afd9
SHA256 c27b308e90d328f72860705c9381205d4f1fe0f3e8abdb37d9b9abd315c6c6d0
SHA512 158dea31acd9c30ac23dc216a8aa6c1e37db61106341367c0393738cd6f218edb3da38da46ce9787874289497b965349b1837e5b5ee3e5160edf4aa430c54a30

memory/656-222-0x0000000007310000-0x0000000007322000-memory.dmp

memory/1556-249-0x00007FFD0E0B0000-0x00007FFD0EB72000-memory.dmp