Malware Analysis Report

2025-01-03 07:36

Sample ID 230817-jmp1yahh9t
Target 1006exe.exe
SHA256 2e6a4680aa9b24612ca07e1492964a84e2fc9bdf5086e1311f05d8e3d034b65e
Tags
asyncrat stormkitty default rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e6a4680aa9b24612ca07e1492964a84e2fc9bdf5086e1311f05d8e3d034b65e

Threat Level: Known bad

The file 1006exe.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default rat spyware stealer

StormKitty payload

Stormkitty family

Async RAT payload

Asyncrat family

StormKitty

AsyncRat

Async RAT payload

Reads user/profile data of web browsers

Looks up external IP address via web service

Drops desktop.ini file(s)

Looks up geolocation information via web service

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-17 07:47

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-17 07:47

Reported

2023-08-17 07:49

Platform

win7-20230712-en

Max time kernel

101s

Max time network

83s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1006exe.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\12aab524e3565e1bc4395d65c62653d2\Admin@YKQDESCX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\12aab524e3565e1bc4395d65c62653d2\Admin@YKQDESCX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
File created C:\Users\Admin\AppData\Local\12aab524e3565e1bc4395d65c62653d2\Admin@YKQDESCX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\1714a62bcf7576dde54c074ab3be2f9a\Admin@YKQDESCX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
File created C:\Users\Admin\AppData\Local\1714a62bcf7576dde54c074ab3be2f9a\Admin@YKQDESCX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
File created C:\Users\Admin\AppData\Local\1714a62bcf7576dde54c074ab3be2f9a\Admin@YKQDESCX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
File created C:\Users\Admin\AppData\Local\12aab524e3565e1bc4395d65c62653d2\Admin@YKQDESCX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
File created C:\Users\Admin\AppData\Local\12aab524e3565e1bc4395d65c62653d2\Admin@YKQDESCX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
File created C:\Users\Admin\AppData\Local\12aab524e3565e1bc4395d65c62653d2\Admin@YKQDESCX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\12aab524e3565e1bc4395d65c62653d2\Admin@YKQDESCX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
File created C:\Users\Admin\AppData\Local\1714a62bcf7576dde54c074ab3be2f9a\Admin@YKQDESCX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
File created C:\Users\Admin\AppData\Local\1714a62bcf7576dde54c074ab3be2f9a\Admin@YKQDESCX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\1714a62bcf7576dde54c074ab3be2f9a\Admin@YKQDESCX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2916 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2916 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2916 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2916 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2916 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2916 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2916 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2916 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1956 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2652 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2652 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2652 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2652 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2652 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2652 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2652 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2996 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1356 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1356 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1356 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1356 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1356 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1356 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1356 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1356 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1356 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1356 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1356 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2996 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\1006exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1076 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1076 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1076 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1076 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1076 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1076 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1076 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1006exe.exe

"C:\Users\Admin\AppData\Local\Temp\1006exe.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Local\Temp\1006exe.exe

"C:\Users\Admin\AppData\Local\Temp\1006exe.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/1956-54-0x0000000000A30000-0x0000000000A60000-memory.dmp

memory/1956-55-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/1956-56-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

memory/1956-123-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/1956-124-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

memory/1956-125-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCA79.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

memory/1956-147-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarCB28.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1d3477011ed4fbfc6854694492bf840
SHA1 e3ea3d6c59f293037ee1285cc923be474ff6ed77
SHA256 47af01a1d47ba9be49076abcc411a5f3137c67b26ed0ad5d6bf27edd3c1e4445
SHA512 ab78b2d851fee9983cb4065d66674e62c978a32190a636725e30b2e776404ad975fcd27b364feb0397ba2eb993978132997b6562689d6e0f55ac1a4724703f84

C:\Users\Admin\AppData\Local\69de5cd872b84d77e41370452f612c82\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2996-197-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/2996-198-0x0000000004BF0000-0x0000000004C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF23B.tmp.dat

MD5 694accf657a08f14f814bbbbc93d471c
SHA1 b67a29deaf9feef0f8f11811b6d2bd97347dc8d0
SHA256 0042248d0181fc1e17f97309baa76363a71ea55585bd50595c8b45d1d3dbfd7d
SHA512 1443f080a08e826334cb8aaf29f89733270b244a5c90a06b9205977a8b72cd0ea9edc61b8d6840704780e378c3e9078f096bf85660a209903e9ca4272e48a516

C:\Users\Admin\AppData\Local\Temp\tmpF25C.tmp.dat

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 274a71a7dd742aabfc5c33ce16ffbd70
SHA1 ce0dd66351e0dbc1cc7001a0bcf635e39e293ff3
SHA256 796f7c90506ade1fcbe09fd435b1b6d374f14983f6166687f22f8b1231c55f02
SHA512 1df8eec361aa88edd7124dae8bb5a65daacd0fdf679b9d56f67a79b590ec526786d6def91e035b60705a9e25a4bcd40c0cfa4d8857cf38d9d045d9c1e3b6a3b2

C:\Users\Admin\AppData\Local\Temp\tmpF454.tmp.dat

MD5 274a71a7dd742aabfc5c33ce16ffbd70
SHA1 ce0dd66351e0dbc1cc7001a0bcf635e39e293ff3
SHA256 796f7c90506ade1fcbe09fd435b1b6d374f14983f6166687f22f8b1231c55f02
SHA512 1df8eec361aa88edd7124dae8bb5a65daacd0fdf679b9d56f67a79b590ec526786d6def91e035b60705a9e25a4bcd40c0cfa4d8857cf38d9d045d9c1e3b6a3b2

memory/2996-243-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/2996-265-0x0000000004BF0000-0x0000000004C30000-memory.dmp

memory/2996-267-0x0000000004BF0000-0x0000000004C30000-memory.dmp