Malware Analysis Report

2025-01-03 06:41

Sample ID 230818-z7rm9sff2z
Target ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45
SHA256 ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45
Tags
rat asyncrat stormkitty default spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45

Threat Level: Known bad

The file ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45 was found to be: Known bad.

Malicious Activity Summary

rat asyncrat stormkitty default spyware stealer

AsyncRat

StormKitty

Asyncrat family

StormKitty payload

Stormkitty family

Async RAT payload

Async RAT payload

Reads user/profile data of web browsers

Executes dropped EXE

Looks up external IP address via web service

Looks up geolocation information via web service

Drops desktop.ini file(s)

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-18 21:21

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-18 21:21

Reported

2023-08-18 21:24

Platform

win7-20230712-en

Max time kernel

147s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalPDkoGnLcju..exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\d869ceddfbbaae72888d61f058af8045\Admin@MGKTNXNO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\d869ceddfbbaae72888d61f058af8045\Admin@MGKTNXNO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
File created C:\Users\Admin\AppData\Local\d869ceddfbbaae72888d61f058af8045\Admin@MGKTNXNO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
File created C:\Users\Admin\AppData\Local\d869ceddfbbaae72888d61f058af8045\Admin@MGKTNXNO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
File created C:\Users\Admin\AppData\Local\d869ceddfbbaae72888d61f058af8045\Admin@MGKTNXNO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED03B34D-4B90-4881-A8BF-BC95678536B6} C:\Users\Admin\AppData\LocalPDkoGnLcju..exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED03B34D-4B90-4881-A8BF-BC95678536B6}\ = e9524cef14b35806954b0ec436a3d895cd71f6a67d04dda0 C:\Users\Admin\AppData\LocalPDkoGnLcju..exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\LocalPDkoGnLcju..exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe C:\Users\Admin\AppData\LocalICgDIlOjTU.exe
PID 1716 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe C:\Users\Admin\AppData\LocalICgDIlOjTU.exe
PID 1716 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe C:\Users\Admin\AppData\LocalICgDIlOjTU.exe
PID 1716 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe C:\Users\Admin\AppData\LocalICgDIlOjTU.exe
PID 1716 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe C:\Users\Admin\AppData\LocalPDkoGnLcju..exe
PID 1716 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe C:\Users\Admin\AppData\LocalPDkoGnLcju..exe
PID 1716 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe C:\Users\Admin\AppData\LocalPDkoGnLcju..exe
PID 1716 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe C:\Users\Admin\AppData\LocalPDkoGnLcju..exe
PID 2580 wrote to memory of 844 N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 844 N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 844 N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 844 N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 844 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 844 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 844 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 844 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 844 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 844 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 844 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 844 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 844 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 844 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 844 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2580 wrote to memory of 2556 N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2556 N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2556 N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2556 N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2556 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2556 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2556 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2556 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2556 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2556 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2556 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe

"C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe"

C:\Users\Admin\AppData\LocalICgDIlOjTU.exe

"C:\Users\Admin\AppData\LocalICgDIlOjTU.exe"

C:\Users\Admin\AppData\LocalPDkoGnLcju..exe

"C:\Users\Admin\AppData\LocalPDkoGnLcju..exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.70:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/1716-54-0x0000000000010000-0x000000000021A000-memory.dmp

memory/1716-57-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/1716-58-0x0000000000730000-0x00000000007B0000-memory.dmp

C:\Users\Admin\AppData\LocalICgDIlOjTU.exe

MD5 dd34d9f192b430ded91280d28302cf35
SHA1 f5602de3aa0e5c59f4c9a5a46411a2178feefec4
SHA256 0b656c6f9a40cbb679e04d102d8801b9143550eb601afb29f2afa0e4ac14ed19
SHA512 8c01bdd0dc5cbe9aea0a0a279f814438aea8af67f9883ab60550d5a802eb4acee64f32ab3fd3f928eca77770fb6ccd2bcc2b8747afc43b856376de49d1c2d842

C:\Users\Admin\AppData\LocalICgDIlOjTU.exe

MD5 dd34d9f192b430ded91280d28302cf35
SHA1 f5602de3aa0e5c59f4c9a5a46411a2178feefec4
SHA256 0b656c6f9a40cbb679e04d102d8801b9143550eb601afb29f2afa0e4ac14ed19
SHA512 8c01bdd0dc5cbe9aea0a0a279f814438aea8af67f9883ab60550d5a802eb4acee64f32ab3fd3f928eca77770fb6ccd2bcc2b8747afc43b856376de49d1c2d842

memory/1732-68-0x0000000000400000-0x00000000009A9000-memory.dmp

C:\Users\Admin\AppData\LocalPDkoGnLcju..exe

MD5 8c538e3eda34cb6e7cbe470d93d1384a
SHA1 ccf64721bd9691e0a27cbb0d258b6bc14f8fa32c
SHA256 2bcc54ed052152ac1fb77d9c8740f4ab87e3e59f3cd82e232df64c38b369f057
SHA512 5aa63e3edbac96c32e415570a76c90f5c4dbf1dc6781c1f90d805e21a08473a0c15f11596f286f1c482e7125b31748f74f2176beba7da7954d7cc024de291e7e

memory/1716-69-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/1732-70-0x0000000000400000-0x00000000009A9000-memory.dmp

memory/2580-71-0x0000000001160000-0x0000000001192000-memory.dmp

memory/1732-72-0x0000000005550000-0x00000000056A6000-memory.dmp

memory/1732-73-0x0000000074010000-0x00000000746FE000-memory.dmp

memory/2580-74-0x0000000074010000-0x00000000746FE000-memory.dmp

memory/1732-75-0x0000000005510000-0x0000000005550000-memory.dmp

memory/1732-77-0x0000000005510000-0x0000000005550000-memory.dmp

memory/1732-76-0x0000000005510000-0x0000000005550000-memory.dmp

memory/1732-78-0x0000000005390000-0x00000000054D0000-memory.dmp

memory/1732-79-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-80-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-82-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-84-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-86-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-88-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-90-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-92-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-94-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-96-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-98-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-100-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-106-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-104-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-102-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-108-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-110-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-112-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-114-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-116-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-118-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-120-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-122-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-126-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-124-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-128-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-130-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-132-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-134-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-136-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-138-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-140-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-142-0x0000000005390000-0x00000000054C9000-memory.dmp

memory/1732-233-0x0000000000400000-0x00000000009A9000-memory.dmp

memory/1732-260-0x0000000000400000-0x00000000009A9000-memory.dmp

memory/1732-266-0x0000000074010000-0x00000000746FE000-memory.dmp

memory/2580-292-0x0000000074010000-0x00000000746FE000-memory.dmp

memory/1732-294-0x0000000005510000-0x0000000005550000-memory.dmp

memory/1732-296-0x0000000005510000-0x0000000005550000-memory.dmp

memory/1732-366-0x0000000005510000-0x0000000005550000-memory.dmp

C:\Users\Admin\AppData\Local\d869ceddfbbaae72888d61f058af8045\Admin@MGKTNXNO_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/1732-1010-0x0000000005510000-0x0000000005550000-memory.dmp

memory/1732-1011-0x0000000005BA0000-0x0000000005D6C000-memory.dmp

memory/1732-1012-0x0000000005D70000-0x0000000005EBE000-memory.dmp

memory/1732-1013-0x0000000005500000-0x0000000005514000-memory.dmp

memory/1732-1014-0x0000000005510000-0x0000000005550000-memory.dmp

memory/1732-1015-0x0000000006BA0000-0x0000000006CA0000-memory.dmp

memory/2580-1048-0x0000000000520000-0x0000000000560000-memory.dmp

memory/1732-1052-0x0000000005510000-0x0000000005550000-memory.dmp

memory/1732-1053-0x0000000005510000-0x0000000005550000-memory.dmp

memory/1732-1054-0x0000000006BA0000-0x0000000006CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5E8E.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

memory/2580-1073-0x0000000000520000-0x0000000000560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar6120.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67d74cafc4cbc491f23bef21d2e9401a
SHA1 d8fbbb79c979c6aecd7c88e5ab6d0f4a4f0939f4
SHA256 6e2675eda99a1b9e52d41690b87b000053d36e64752d6e2432205ef51dc47d40
SHA512 a0f5ff666ceaeb01d066e05ad28b2f0e6d595b0e5830d96beb0c3471f2c96f3679acfee7f4ffab76c86d35e64e3b63ba87267c5e4095d2c75179f07f8e49ac2c

C:\Users\Admin\AppData\Local\8a95576f3d912ac1585f66251b6e9147\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-18 21:21

Reported

2023-08-18 21:24

Platform

win10v2004-20230703-en

Max time kernel

151s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalPDkoGnLcju..exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\59eef321bb0f566b714e54fa0c74f63f\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
File created C:\Users\Admin\AppData\Local\59eef321bb0f566b714e54fa0c74f63f\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
File created C:\Users\Admin\AppData\Local\59eef321bb0f566b714e54fa0c74f63f\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
File created C:\Users\Admin\AppData\Local\59eef321bb0f566b714e54fa0c74f63f\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
File created C:\Users\Admin\AppData\Local\59eef321bb0f566b714e54fa0c74f63f\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\59eef321bb0f566b714e54fa0c74f63f\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A
File created C:\Users\Admin\AppData\Local\59eef321bb0f566b714e54fa0c74f63f\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED03B34D-4B90-4881-A8BF-BC95678536B6} C:\Users\Admin\AppData\LocalPDkoGnLcju..exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED03B34D-4B90-4881-A8BF-BC95678536B6}\ = d26977d42f88633dae7035ff0d98e3aefa46c1914a33ea97 C:\Users\Admin\AppData\LocalPDkoGnLcju..exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\LocalPDkoGnLcju..exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4544 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe C:\Users\Admin\AppData\LocalICgDIlOjTU.exe
PID 4544 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe C:\Users\Admin\AppData\LocalICgDIlOjTU.exe
PID 4544 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe C:\Users\Admin\AppData\LocalICgDIlOjTU.exe
PID 4544 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe C:\Users\Admin\AppData\LocalPDkoGnLcju..exe
PID 4544 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe C:\Users\Admin\AppData\LocalPDkoGnLcju..exe
PID 4544 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe C:\Users\Admin\AppData\LocalPDkoGnLcju..exe
PID 2732 wrote to memory of 1120 N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1120 N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1120 N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1120 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1120 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1120 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1120 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1120 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1120 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1120 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1120 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2952 N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2952 N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2952 N/A C:\Users\Admin\AppData\LocalICgDIlOjTU.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2952 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2952 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2952 wrote to memory of 3800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2952 wrote to memory of 3800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2952 wrote to memory of 3800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe

"C:\Users\Admin\AppData\Local\Temp\ea84b06cfd59116fd687d38a13909ab00f0e38d572d0de1df42be909bea5ac45.exe"

C:\Users\Admin\AppData\LocalICgDIlOjTU.exe

"C:\Users\Admin\AppData\LocalICgDIlOjTU.exe"

C:\Users\Admin\AppData\LocalPDkoGnLcju..exe

"C:\Users\Admin\AppData\LocalPDkoGnLcju..exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp

Files

memory/4544-136-0x00007FFC36490000-0x00007FFC36E31000-memory.dmp

memory/4544-137-0x00007FFC36490000-0x00007FFC36E31000-memory.dmp

memory/4544-138-0x0000000001650000-0x0000000001660000-memory.dmp

memory/4544-139-0x0000000000CD0000-0x0000000000EDA000-memory.dmp

C:\Users\Admin\AppData\LocalICgDIlOjTU.exe

MD5 dd34d9f192b430ded91280d28302cf35
SHA1 f5602de3aa0e5c59f4c9a5a46411a2178feefec4
SHA256 0b656c6f9a40cbb679e04d102d8801b9143550eb601afb29f2afa0e4ac14ed19
SHA512 8c01bdd0dc5cbe9aea0a0a279f814438aea8af67f9883ab60550d5a802eb4acee64f32ab3fd3f928eca77770fb6ccd2bcc2b8747afc43b856376de49d1c2d842

C:\Users\Admin\AppData\LocalICgDIlOjTU.exe

MD5 dd34d9f192b430ded91280d28302cf35
SHA1 f5602de3aa0e5c59f4c9a5a46411a2178feefec4
SHA256 0b656c6f9a40cbb679e04d102d8801b9143550eb601afb29f2afa0e4ac14ed19
SHA512 8c01bdd0dc5cbe9aea0a0a279f814438aea8af67f9883ab60550d5a802eb4acee64f32ab3fd3f928eca77770fb6ccd2bcc2b8747afc43b856376de49d1c2d842

C:\Users\Admin\AppData\LocalPDkoGnLcju..exe

MD5 8c538e3eda34cb6e7cbe470d93d1384a
SHA1 ccf64721bd9691e0a27cbb0d258b6bc14f8fa32c
SHA256 2bcc54ed052152ac1fb77d9c8740f4ab87e3e59f3cd82e232df64c38b369f057
SHA512 5aa63e3edbac96c32e415570a76c90f5c4dbf1dc6781c1f90d805e21a08473a0c15f11596f286f1c482e7125b31748f74f2176beba7da7954d7cc024de291e7e

C:\Users\Admin\AppData\LocalPDkoGnLcju..exe

MD5 8c538e3eda34cb6e7cbe470d93d1384a
SHA1 ccf64721bd9691e0a27cbb0d258b6bc14f8fa32c
SHA256 2bcc54ed052152ac1fb77d9c8740f4ab87e3e59f3cd82e232df64c38b369f057
SHA512 5aa63e3edbac96c32e415570a76c90f5c4dbf1dc6781c1f90d805e21a08473a0c15f11596f286f1c482e7125b31748f74f2176beba7da7954d7cc024de291e7e

memory/4520-160-0x0000000000400000-0x00000000009A9000-memory.dmp

memory/4544-162-0x00007FFC36490000-0x00007FFC36E31000-memory.dmp

C:\Users\Admin\AppData\LocalICgDIlOjTU.exe

MD5 dd34d9f192b430ded91280d28302cf35
SHA1 f5602de3aa0e5c59f4c9a5a46411a2178feefec4
SHA256 0b656c6f9a40cbb679e04d102d8801b9143550eb601afb29f2afa0e4ac14ed19
SHA512 8c01bdd0dc5cbe9aea0a0a279f814438aea8af67f9883ab60550d5a802eb4acee64f32ab3fd3f928eca77770fb6ccd2bcc2b8747afc43b856376de49d1c2d842

C:\Users\Admin\AppData\LocalPDkoGnLcju..exe

MD5 8c538e3eda34cb6e7cbe470d93d1384a
SHA1 ccf64721bd9691e0a27cbb0d258b6bc14f8fa32c
SHA256 2bcc54ed052152ac1fb77d9c8740f4ab87e3e59f3cd82e232df64c38b369f057
SHA512 5aa63e3edbac96c32e415570a76c90f5c4dbf1dc6781c1f90d805e21a08473a0c15f11596f286f1c482e7125b31748f74f2176beba7da7954d7cc024de291e7e

memory/2732-165-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/4520-166-0x0000000000400000-0x00000000009A9000-memory.dmp

memory/4520-167-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/2732-168-0x0000000000E80000-0x0000000000EB2000-memory.dmp

memory/4520-169-0x00000000059F0000-0x0000000005A00000-memory.dmp

memory/4520-170-0x00000000059F0000-0x0000000005A00000-memory.dmp

memory/4520-171-0x0000000005CB0000-0x0000000006254000-memory.dmp

memory/4520-172-0x0000000000400000-0x00000000009A9000-memory.dmp

memory/4520-173-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-174-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-176-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-178-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-180-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-182-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-184-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-186-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-188-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-190-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-192-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-194-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-196-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-198-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-200-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-202-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-204-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-206-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-208-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-210-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-212-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-214-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-216-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-218-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-220-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-222-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-224-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-226-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-228-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-230-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-232-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/2732-234-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/4520-235-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-237-0x0000000005A00000-0x0000000005B39000-memory.dmp

memory/4520-291-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/2732-371-0x0000000005970000-0x00000000059D6000-memory.dmp

memory/4520-405-0x00000000059F0000-0x0000000005A00000-memory.dmp

memory/4520-480-0x00000000059F0000-0x0000000005A00000-memory.dmp

C:\Users\Admin\AppData\Local\59eef321bb0f566b714e54fa0c74f63f\Admin@LMMMEQUO_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/4520-1149-0x0000000005910000-0x00000000059A2000-memory.dmp

memory/4520-1151-0x00000000059F0000-0x0000000005A00000-memory.dmp

memory/4520-1154-0x0000000005B40000-0x0000000005B4A000-memory.dmp

memory/4520-1173-0x00000000059F0000-0x0000000005A00000-memory.dmp

C:\Users\Admin\AppData\Local\59eef321bb0f566b714e54fa0c74f63f\Admin@LMMMEQUO_en-US\System\Process.txt

MD5 fdbe286e8e4c49da466f6a26992b4817
SHA1 b981c037778610176291628e9b59d6890d7882a2
SHA256 576310939c535c1c501a0db5c70e18d1b88cbe429801949189269fa47b127d1a
SHA512 93a44e8d7e7ebc5bbb74071d8d7369f3cda594147cdab4a839946e32602f2c183aa101d508a1911260aba20b2e92c0a64fdeec031f68367916fefa51b94d3860

memory/2732-1209-0x0000000005860000-0x0000000005870000-memory.dmp

memory/4520-1212-0x00000000059F0000-0x0000000005A00000-memory.dmp

memory/4520-1215-0x00000000059F0000-0x0000000005A00000-memory.dmp

memory/2732-1216-0x00000000068B0000-0x00000000068BA000-memory.dmp

C:\Users\Admin\AppData\Local\837af3fb21b1bb704e7fab5bd3b2ec5f\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2732-1222-0x0000000005860000-0x0000000005870000-memory.dmp

memory/2732-1223-0x0000000006A10000-0x0000000006A22000-memory.dmp