Malware Analysis Report

2024-09-22 23:58

Sample ID 240418-ycpdzseb81
Target 20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b
SHA256 20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b
Tags
stormkitty spyware stealer asyncrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b

Threat Level: Known bad

The file 20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b was found to be: Known bad.

Malicious Activity Summary

stormkitty spyware stealer asyncrat rat

Detects executables using Telegram Chat Bot

Detects executables with interest in wireless interface using netsh

Detects executables (downlaoders) containing URLs to raw contents of a paste

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing Discord tokens regular expressions

Detects file containing reversed ASEP Autorun registry keys

Stormkitty family

Detects executables containing URLs to raw contents of a Github gist

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects executables referencing credit card regular expressions

Detects executables referencing Windows vault credential objects. Observed in infostealers

StormKitty payload

StormKitty

AsyncRat

Detects executables referencing many VPN software clients. Observed in infosteslers

Detects executables containing URLs to raw contents of a Github gist

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing Discord tokens regular expressions

Detects executables referencing many VPN software clients. Observed in infosteslers

Detects executables referencing credit card regular expressions

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables (downlaoders) containing URLs to raw contents of a paste

Detects executables with interest in wireless interface using netsh

Detects executables using Telegram Chat Bot

Detects file containing reversed ASEP Autorun registry keys

Reads user/profile data of web browsers

Looks up external IP address via web service

Drops desktop.ini file(s)

Looks up geolocation information via web service

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-18 19:38

Signatures

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables (downlaoders) containing URLs to raw contents of a paste

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing Discord tokens regular expressions

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing credit card regular expressions

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many VPN software clients. Observed in infosteslers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables using Telegram Chat Bot

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables with interest in wireless interface using netsh

Description Indicator Process Target
N/A N/A N/A N/A

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 19:38

Reported

2024-04-18 19:41

Platform

win7-20240221-en

Max time kernel

148s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables (downlaoders) containing URLs to raw contents of a paste

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Discord tokens regular expressions

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing credit card regular expressions

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many VPN software clients. Observed in infosteslers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables using Telegram Chat Bot

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables with interest in wireless interface using netsh

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\ba0a5502e1450824b539041cc1d2728a\Admin@QGTQZTRE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\ba0a5502e1450824b539041cc1d2728a\Admin@QGTQZTRE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
File created C:\Users\Admin\AppData\Local\ba0a5502e1450824b539041cc1d2728a\Admin@QGTQZTRE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
File created C:\Users\Admin\AppData\Local\ba0a5502e1450824b539041cc1d2728a\Admin@QGTQZTRE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\ba0a5502e1450824b539041cc1d2728a\Admin@QGTQZTRE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
File created C:\Users\Admin\AppData\Local\ba0a5502e1450824b539041cc1d2728a\Admin@QGTQZTRE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\ba0a5502e1450824b539041cc1d2728a\Admin@QGTQZTRE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1652 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1652 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1652 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1652 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1652 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1652 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1652 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1652 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1652 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1652 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1652 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2240 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 344 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 344 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 344 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 344 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 344 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 344 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 344 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe

"C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.170:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/2240-0-0x0000000000220000-0x000000000024E000-memory.dmp

memory/2240-1-0x0000000074540000-0x0000000074C2E000-memory.dmp

memory/2240-2-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

memory/2240-69-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab52F9.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar53CB.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b0b38178ae4e67dcc432bea53524149
SHA1 ef35aa32d3096d62454b9a61ed573d88f88857d5
SHA256 dc5b7b90151702d88cc7b05c6b1a7e583876f8345a7d4f799998e6965c33dbef
SHA512 88e672965b9249876fa401044458df297faf95fdf51835d2f662fd258dac1f169d9ff979ad87fd5781c39ee95014a3ad5a12df430d5dcc3ff50adeab14feb072

C:\Users\Admin\AppData\Local\d3a3a30fb40f5f013229c0e102c91ed5\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2240-155-0x0000000074540000-0x0000000074C2E000-memory.dmp

memory/2240-156-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

memory/2240-157-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-18 19:38

Reported

2024-04-18 19:41

Platform

win10v2004-20240412-en

Max time kernel

145s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables (downlaoders) containing URLs to raw contents of a paste

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing Discord tokens regular expressions

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing credit card regular expressions

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many VPN software clients. Observed in infosteslers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables using Telegram Chat Bot

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables with interest in wireless interface using netsh

Description Indicator Process Target
N/A N/A N/A N/A

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\a4c6399717db92ed687fc897f834ecd1\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
File created C:\Users\Admin\AppData\Local\a4c6399717db92ed687fc897f834ecd1\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
File created C:\Users\Admin\AppData\Local\a4c6399717db92ed687fc897f834ecd1\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\a4c6399717db92ed687fc897f834ecd1\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
File created C:\Users\Admin\AppData\Local\a4c6399717db92ed687fc897f834ecd1\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
File created C:\Users\Admin\AppData\Local\a4c6399717db92ed687fc897f834ecd1\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\a4c6399717db92ed687fc897f834ecd1\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
File created C:\Users\Admin\AppData\Local\a4c6399717db92ed687fc897f834ecd1\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4936 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4936 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4936 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4936 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4936 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4936 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4936 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4936 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2520 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 4188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3960 wrote to memory of 4188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3960 wrote to memory of 4188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3960 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3960 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3960 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe

"C:\Users\Admin\AppData\Local\Temp\20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 137.198.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/2520-1-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/2520-0-0x0000000000460000-0x000000000048E000-memory.dmp

memory/2520-2-0x0000000002A80000-0x0000000002A90000-memory.dmp

memory/2520-3-0x0000000004FB0000-0x0000000005016000-memory.dmp

C:\Users\Admin\AppData\Local\a4c6399717db92ed687fc897f834ecd1\Admin@QUBJEIMO_en-US\System\Process.txt

MD5 6e52b88f490871e325b130b65f871520
SHA1 00fd7fc1d74ce29748be7b9905a7f85b841e1525
SHA256 542c926bad300697ba39519291dd4f79cd11960b715d7bab30e160a7db49c5bf
SHA512 95788620169540091f79bc15b8e5f866b9a63384f83cf40169f75768848b190f76a8f08d7abff6632278e7b2c97e32f2df4bb9c168815fd8ac77b7605a41bcaa

memory/2520-150-0x0000000002A80000-0x0000000002A90000-memory.dmp

memory/2520-152-0x00000000059A0000-0x0000000005A32000-memory.dmp

memory/2520-153-0x0000000005FF0000-0x0000000006594000-memory.dmp

memory/2520-157-0x0000000005CC0000-0x0000000005CCA000-memory.dmp

C:\Users\Admin\AppData\Local\afff578373bd878288baa0e41a2c5c3b\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2520-163-0x0000000005CD0000-0x0000000005CE2000-memory.dmp

memory/2520-188-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/2520-189-0x0000000002A80000-0x0000000002A90000-memory.dmp

memory/2520-190-0x0000000002A80000-0x0000000002A90000-memory.dmp