Malware Analysis Report

2025-01-03 06:30

Sample ID 230926-tse32abd7t
Target Prysmax Stealer v4.0 @blackcrackr.exe
SHA256 03a3b480a717c57dc876d668d6be89ecf2f75c1c50fc0660ee5b6350dd3e9494
Tags
rat default asyncrat stormkitty spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03a3b480a717c57dc876d668d6be89ecf2f75c1c50fc0660ee5b6350dd3e9494

Threat Level: Known bad

The file Prysmax Stealer v4.0 @blackcrackr.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat stormkitty spyware stealer

Async RAT payload

Stormkitty family

Asyncrat family

StormKitty payload

AsyncRat

StormKitty

Async RAT payload

Reads user/profile data of web browsers

Looks up external IP address via web service

Looks up geolocation information via web service

Drops desktop.ini file(s)

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-26 16:18

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-26 16:18

Reported

2023-09-26 16:21

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
File created C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
File created C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
File created C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
File created C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
File created C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4772 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 4068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1492 wrote to memory of 4068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1492 wrote to memory of 4068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1492 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1492 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1492 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1492 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1492 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1492 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4772 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5040 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5040 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5040 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5040 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5040 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe

"C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.5.85.104.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 97.114.18.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp

Files

memory/4772-0-0x0000000000050000-0x0000000000080000-memory.dmp

memory/4772-1-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/4772-2-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/4772-3-0x0000000004B80000-0x0000000004BE6000-memory.dmp

memory/520-41-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp

memory/520-44-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp

memory/520-50-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp

C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/520-67-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp

memory/520-59-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp

memory/520-69-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp

memory/520-71-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp

memory/520-70-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp

memory/520-72-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp

memory/520-73-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp

memory/4772-78-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/4772-85-0x0000000004A70000-0x0000000004A80000-memory.dmp

C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\System\Process.txt

MD5 5e13a183f1d009256ae5f55933a17565
SHA1 1e907d839592d51918777c5193ef07380d9b0ca2
SHA256 bd6d89fcbd5e5e16db25de3cc6e1da8459a4d9d11cf260257dfad631b733c27a
SHA512 9c79f1d0b66b076bf9d4ea9d1e1390454532fef6003e938acaabd276b6639706a54a468a3b1047e6cf48eafb938075176365995c11317aa0ecef21c2960908d8

memory/4772-169-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/4772-171-0x0000000005990000-0x0000000005A22000-memory.dmp

memory/4772-172-0x0000000005FE0000-0x0000000006584000-memory.dmp

memory/4772-176-0x0000000005AC0000-0x0000000005ACA000-memory.dmp

C:\Users\Admin\AppData\Local\dffaeb0d926bd07d8a3f05eb1e5be402\msgid.dat

MD5 e2eacaff46787bfeefcaa24cf35264c7
SHA1 f19cfbfd92943598a5fd121803f33aa27a6a7737
SHA256 9a094988ee453389615f0706c2467b3f4ac80ea300d3ba1f20d3698d5f5dbafa
SHA512 f8bca6b6817e929a8fb2e257a203729690a6c8f7717f537a1f1d803bfb3be9eaa8c5a0efa4ba1d144c2fa1c802ff7aa460a089da79c96c0fffdac2854518aabe

memory/4772-182-0x0000000006950000-0x0000000006962000-memory.dmp

memory/4772-207-0x0000000004A70000-0x0000000004A80000-memory.dmp