asyncrat | bfc572da40fc3dcbee2ff5590ad5f630becf69e18df37b44140bd4f214facf56

Analysis

max time kernel
147s
max time network
145s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3644f9a06d97f903a5ceebdd7f2f4500.exe
Size

222KB
MD5

3644f9a06d97f903a5ceebdd7f2f4500
SHA1

53ed26fba664d03b0e2423d6da7235c983fe2a1e
SHA256

bfc572da40fc3dcbee2ff5590ad5f630becf69e18df37b44140bd4f214facf56
SHA512

f0dced1046018e83a33acc0e06f43bdd300ae4defff974c033a1f16cfd78c366cfd11e480554c197d844442fcfd51494ea39abb7c9c22c686d1b3a6cf5c30d1a
SSDEEP

6144:zVW1Fk5kc9tepTde06Or1HVSuZyfbqLW:JWnYt0hHVSuTLW

Score

10^/10

asyncrat stormkitty default persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

94.232.249.111:6606

94.232.249.111:7707

94.232.249.111:8808

Mutex

o6tEeoRxJb0n

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/memory/2060-100-0x0000000000870000-0x00000000008A2000-memory.dmp	family_stormkitty
behavioral1/files/0x0006000000016d71-98.dat	family_stormkitty

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000016d65-89.dat	family_asyncrat
behavioral1/files/0x0006000000016d71-98.dat	family_asyncrat

Downloads MZ/PE file

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk	3644f9a06d97f903a5ceebdd7f2f4500.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Identities.exe.lnk	3644f9a06d97f903a5ceebdd7f2f4500.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Macromedia.exe.lnk	3644f9a06d97f903a5ceebdd7f2f4500.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Media Center Programs.exe.lnk	3644f9a06d97f903a5ceebdd7f2f4500.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk	3644f9a06d97f903a5ceebdd7f2f4500.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk	3644f9a06d97f903a5ceebdd7f2f4500.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk	3644f9a06d97f903a5ceebdd7f2f4500.exe

Executes dropped EXE 5 IoCs

pid	Process
2680	relog.exe
2396	22DC.tmp.svchost.exe
2060	2379.tmp.Serverssss.exe
1224	23C8.tmp.svchost.exe
784	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
1516	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Macromedia = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Service_Macromedia.exe"	3644f9a06d97f903a5ceebdd7f2f4500.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Media Center Programs = "C:\\Users\\Admin\\AppData\\Roaming\\Media Center Programs\\Service_Media Center Programs.exe"	3644f9a06d97f903a5ceebdd7f2f4500.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe"	3644f9a06d97f903a5ceebdd7f2f4500.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe"	3644f9a06d97f903a5ceebdd7f2f4500.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3644f9a06d97f903a5ceebdd7f2f4500.exe"	3644f9a06d97f903a5ceebdd7f2f4500.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe"	3644f9a06d97f903a5ceebdd7f2f4500.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Identities = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\Service_Identities.exe"	3644f9a06d97f903a5ceebdd7f2f4500.exe

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\128d0b0392e416c5cd469fa27e8d4653\Admin@UHRQKJCP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	2379.tmp.Serverssss.exe
File opened for modification	C:\Users\Admin\AppData\Local\128d0b0392e416c5cd469fa27e8d4653\Admin@UHRQKJCP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	2379.tmp.Serverssss.exe
File created	C:\Users\Admin\AppData\Local\128d0b0392e416c5cd469fa27e8d4653\Admin@UHRQKJCP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	2379.tmp.Serverssss.exe
File opened for modification	C:\Users\Admin\AppData\Local\128d0b0392e416c5cd469fa27e8d4653\Admin@UHRQKJCP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	2379.tmp.Serverssss.exe
File created	C:\Users\Admin\AppData\Local\128d0b0392e416c5cd469fa27e8d4653\Admin@UHRQKJCP_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	2379.tmp.Serverssss.exe
File created	C:\Users\Admin\AppData\Local\128d0b0392e416c5cd469fa27e8d4653\Admin@UHRQKJCP_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	2379.tmp.Serverssss.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2216 set thread context of 2680	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2379.tmp.Serverssss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	2379.tmp.Serverssss.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1740	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
1200	Explorer.EXE
2396	22DC.tmp.svchost.exe
2396	22DC.tmp.svchost.exe
2396	22DC.tmp.svchost.exe
2060	2379.tmp.Serverssss.exe
2060	2379.tmp.Serverssss.exe
2060	2379.tmp.Serverssss.exe
2060	2379.tmp.Serverssss.exe
2060	2379.tmp.Serverssss.exe
2060	2379.tmp.Serverssss.exe
2060	2379.tmp.Serverssss.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe
2680	relog.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeSecurityPrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeTakeOwnershipPrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeLoadDriverPrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeSystemProfilePrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeSystemtimePrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeProfSingleProcessPrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeIncBasePriorityPrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeCreatePagefilePrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeBackupPrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeRestorePrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeShutdownPrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeDebugPrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeSystemEnvironmentPrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeRemoteShutdownPrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeUndockPrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeManageVolumePrivilege	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: 33	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: 34	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: 35	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe
Token: SeDebugPrivilege	2680	relog.exe
Token: SeDebugPrivilege	2680	relog.exe
Token: SeDebugPrivilege	2680	relog.exe
Token: SeDebugPrivilege	2060	2379.tmp.Serverssss.exe
Token: SeDebugPrivilege	2396	22DC.tmp.svchost.exe
Token: SeDebugPrivilege	784	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2680	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe	28
PID 2216 wrote to memory of 2680	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe	28
PID 2216 wrote to memory of 2680	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe	28
PID 2216 wrote to memory of 2680	2216	3644f9a06d97f903a5ceebdd7f2f4500.exe	28
PID 2680 wrote to memory of 1200	2680	relog.exe	21
PID 2680 wrote to memory of 1200	2680	relog.exe	21
PID 1200 wrote to memory of 2396	1200	Explorer.EXE	29
PID 1200 wrote to memory of 2396	1200	Explorer.EXE	29
PID 1200 wrote to memory of 2396	1200	Explorer.EXE	29
PID 1200 wrote to memory of 2396	1200	Explorer.EXE	29
PID 1200 wrote to memory of 2060	1200	Explorer.EXE	30
PID 1200 wrote to memory of 2060	1200	Explorer.EXE	30
PID 1200 wrote to memory of 2060	1200	Explorer.EXE	30
PID 1200 wrote to memory of 2060	1200	Explorer.EXE	30
PID 1200 wrote to memory of 1224	1200	Explorer.EXE	31
PID 1200 wrote to memory of 1224	1200	Explorer.EXE	31
PID 1200 wrote to memory of 1224	1200	Explorer.EXE	31
PID 1200 wrote to memory of 1224	1200	Explorer.EXE	31
PID 2396 wrote to memory of 2956	2396	22DC.tmp.svchost.exe	33
PID 2396 wrote to memory of 2956	2396	22DC.tmp.svchost.exe	33
PID 2396 wrote to memory of 2956	2396	22DC.tmp.svchost.exe	33
PID 2396 wrote to memory of 2956	2396	22DC.tmp.svchost.exe	33
PID 2396 wrote to memory of 1516	2396	22DC.tmp.svchost.exe	36
PID 2396 wrote to memory of 1516	2396	22DC.tmp.svchost.exe	36
PID 2396 wrote to memory of 1516	2396	22DC.tmp.svchost.exe	36
PID 2396 wrote to memory of 1516	2396	22DC.tmp.svchost.exe	36
PID 2956 wrote to memory of 856	2956	cmd.exe	37
PID 2956 wrote to memory of 856	2956	cmd.exe	37
PID 2956 wrote to memory of 856	2956	cmd.exe	37
PID 2956 wrote to memory of 856	2956	cmd.exe	37
PID 1516 wrote to memory of 1740	1516	cmd.exe	39
PID 1516 wrote to memory of 1740	1516	cmd.exe	39
PID 1516 wrote to memory of 1740	1516	cmd.exe	39
PID 1516 wrote to memory of 1740	1516	cmd.exe	39
PID 1516 wrote to memory of 784	1516	cmd.exe	40
PID 1516 wrote to memory of 784	1516	cmd.exe	40
PID 1516 wrote to memory of 784	1516	cmd.exe	40
PID 1516 wrote to memory of 784	1516	cmd.exe	40
PID 2060 wrote to memory of 1968	2060	2379.tmp.Serverssss.exe	41
PID 2060 wrote to memory of 1968	2060	2379.tmp.Serverssss.exe	41
PID 2060 wrote to memory of 1968	2060	2379.tmp.Serverssss.exe	41
PID 2060 wrote to memory of 1968	2060	2379.tmp.Serverssss.exe	41
PID 1968 wrote to memory of 2964	1968	cmd.exe	43
PID 1968 wrote to memory of 2964	1968	cmd.exe	43
PID 1968 wrote to memory of 2964	1968	cmd.exe	43
PID 1968 wrote to memory of 2964	1968	cmd.exe	43
PID 1968 wrote to memory of 3064	1968	cmd.exe	44
PID 1968 wrote to memory of 3064	1968	cmd.exe	44
PID 1968 wrote to memory of 3064	1968	cmd.exe	44
PID 1968 wrote to memory of 3064	1968	cmd.exe	44
PID 1968 wrote to memory of 1732	1968	cmd.exe	45
PID 1968 wrote to memory of 1732	1968	cmd.exe	45
PID 1968 wrote to memory of 1732	1968	cmd.exe	45
PID 1968 wrote to memory of 1732	1968	cmd.exe	45
PID 2060 wrote to memory of 288	2060	2379.tmp.Serverssss.exe	46
PID 2060 wrote to memory of 288	2060	2379.tmp.Serverssss.exe	46
PID 2060 wrote to memory of 288	2060	2379.tmp.Serverssss.exe	46
PID 2060 wrote to memory of 288	2060	2379.tmp.Serverssss.exe	46
PID 288 wrote to memory of 1744	288	cmd.exe	48
PID 288 wrote to memory of 1744	288	cmd.exe	48
PID 288 wrote to memory of 1744	288	cmd.exe	48
PID 288 wrote to memory of 1744	288	cmd.exe	48
PID 288 wrote to memory of 876	288	cmd.exe	49
PID 288 wrote to memory of 876	288	cmd.exe	49

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe
  "C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\system32\relog.exe
    C:\Windows\system32\relog.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
- C:\Users\Admin\AppData\Local\Temp\22DC.tmp.svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\22DC.tmp.svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp342A.tmp.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1740
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:784
- C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe
  "C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:3064
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:288
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:876
- C:\Users\Admin\AppData\Local\Temp\23C8.tmp.svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\23C8.tmp.svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a2ef3b71d625ae8910a8c52e08c9977

SHA1
2790e5f8b36d52ff8dbed052cef7d87bc0537cfe

SHA256
55ae24b5ad7e8d07d0acc806b64b7a49441a6e1e219bd0e8bcaa0c9b3700c422

SHA512
076b2f4eb106fba0c63315b9c2b03c930d7a4a501db9cbc0d35c4dc897002f049944dae09e016214dd34d9858fee2739753e41a06aa66afe42734f6ffc617974

Download Submit
C:\Users\Admin\AppData\Local\128d0b0392e416c5cd469fa27e8d4653\Admin@UHRQKJCP_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\5ea1f8d352b61a84ae2baa81d2cef9ca\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\22DC.tmp.svchost.exe

Filesize
47KB

MD5
6d13d147a209e3be044035f0c03b7bde

SHA1
1eb5fb487ea7742ff1766ca5bf1b7191cfcf6283

SHA256
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548

SHA512
a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe

Filesize
175KB

MD5
da34ea26ddfedfd7966e8aedf0bb93e6

SHA1
ba30bde364d564268d175090364158cb66c165a9

SHA256
817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20

SHA512
fbf634fd22ec37a65540c6ad1968b53666308d4d31a151c26b1444e242de40c95c0f48f96010bc72e5e0e9a10982b4f56590e96aded12015de915d7d86af8dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4DE2.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp342A.tmp.bat

Filesize
151B

MD5
7995660c84b39705a9bfa6219f336d6c

SHA1
4834f8f9654eb5b0f385db542fddb8e96cf54457

SHA256
d498073a76e27a41e1cd2960e11e4d91bd2a1c3cbc7cd803bbe28bc3ff255ad0

SHA512
293194472b1d4e47df2fe002a02ac3b1cfacc4960a3e56f44e7e98c7f0fb08cfce557cdff36c541ee6af75ce716e5e47cbd5e4b0e83565c1bdae9b1650a8f7c8

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe

Filesize
222KB

MD5
3644f9a06d97f903a5ceebdd7f2f4500

SHA1
53ed26fba664d03b0e2423d6da7235c983fe2a1e

SHA256
bfc572da40fc3dcbee2ff5590ad5f630becf69e18df37b44140bd4f214facf56

SHA512
f0dced1046018e83a33acc0e06f43bdd300ae4defff974c033a1f16cfd78c366cfd11e480554c197d844442fcfd51494ea39abb7c9c22c686d1b3a6cf5c30d1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk

Filesize
838B

MD5
9cd73872889252234910131a0e77e8e6

SHA1
8ac54b01e3abd4f60f8ea7f01feb2fcdddf43a6a

SHA256
ca9943ee5d5ed715f936f1d1c3bec22ac18dd1417b98a585bbe0ba2bd6626a43

SHA512
52d99c5fa8a08df875d2bfa164c4253d2f9d12d629baa4c16d93a940b6e95e0c38c70e50b033ae9ffc0c735ee56ec3839fd132981de6545ada7fcd212ab5fecb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Identities.exe.lnk

Filesize
892B

MD5
864c979cf24d021b40a080efd2a7d354

SHA1
078000eff7a1125854ac4fde70359b77c2d9da6a

SHA256
7cb7b89d12d51efa6d32134ba1b73dc0d4db61cc9a9c40f712acf73f0ead1dab

SHA512
2bcc8f95c36aa2c968bfd4d5f7f9caf1cac9e029a18d6dc31db8062c11346f5dc0f776ac01dffc7afe3c2a9f32a39f4fa8914bd738b39268dc9f8f85872a55bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Macromedia.exe.lnk

Filesize
892B

MD5
d42b02c8c0bac745df729913af425e69

SHA1
1ab3fe9df3156cef02c7eadd387c0c9d35a0183f

SHA256
f08e8e8beb4340f5b4572cceaa7cbb68895f42fe12047ee3f04d99a3cefc75ed

SHA512
01f29e9fda371654ee56cf1737d5952c835b5a2fe61b614785afabdbb7668292cf8b4ddcedaff2476577998150d685f28ddc298562bd5e0a395ecdddbf12bcad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Media Center Programs.exe.lnk

Filesize
1002B

MD5
2c272841a6b8e5a31a09aaa581ee4059

SHA1
d87b66881323eeca8d325984982795c0de9eae33

SHA256
51fd31127497996dcfa0be56240f5ed7789390b59517d91634d99b05979f9557

SHA512
a9fc6df91e883e9345d0da2084f9c7b4bcc1d2bdbb9f38987ce9bdb24bef95bb3d6cd2244c815f6d2561e9049add1fd99072b85d22a6371d642d23dce1c78bbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk

Filesize
856B

MD5
64837a79620c1408dccedb9a6872b77c

SHA1
a8ac9ee73b0bef41a30eced76a86fc16d5d9b415

SHA256
9f696867e04d8e36469909b7ab9beda19ea83b73c147d56ee6b89b0a87a5211d

SHA512
13d81d8cf8b37d85d13b654d028ff04adbf9fbf9b188bc6dc2fcb79f6524c5b96d791f0ab75f379730bf5d312591042238dfab370dc9b57d531be72a13e7bc7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk

Filesize
860B

MD5
e281dd02da707ae372485940dd65ad89

SHA1
c4fc2c9d3014f8dc8c80e3c35e334839c9d5911e

SHA256
53b74d3547769e5695eca2398926c325badc7e59f5fba05d838f2154136808fd

SHA512
3da365a463467b355d570ddddc28bd69a177e9b9e66103b8bd655f88ca5063ebfc9a79cabcce4d91badf042c94a68659fb8d7ca1009df94d399cdbb8a66b0c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk

Filesize
991B

MD5
5b0f800b4cd137a576327ba41ad8ce41

SHA1
21be32cb89fce391330a451811850456c8afb34d

SHA256
949318fbf13d2ac3d6884f178e5bd25d891c6071cc7fd69dbc9045bf294a9e72

SHA512
cf559c65b7e97bd52b04af38f4a4903fae2c77c58bd7ce0ec832ff8e7eb65379b872485475c507a6ba80ab766abcb4a5a3a54e9a0cce7fa5c7f5c6009e13832e

Download Submit
\Users\Admin\AppData\Local\Temp\TH1F94.tmp

Filesize
222KB

MD5
933bc84c355410977507fce60295cc73

SHA1
1b395d4888d1dc60127e7c65fe7da857981bda1e

SHA256
f097a2cdef650eddd702047ae31625bafedd92099b92c1cfc61be73e636ed152

SHA512
d7f3ae4b5729b392e610fd084b7b19408ec52215106e8dd58cf7d019db8cd398bd4a368adf526e72f8cd6e8584ac0fe392d979e719df79bb17b5570542cb4740

Download Submit
memory/784-176-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/1200-90-0x00000000775B0000-0x00000000775B1000-memory.dmp

Filesize
4KB

Download
memory/1200-71-0x0000000002A40000-0x0000000002A56000-memory.dmp

Filesize
88KB

Download
memory/1200-219-0x0000000002DC0000-0x0000000002E11000-memory.dmp

Filesize
324KB

Download
memory/1200-77-0x0000000002DC0000-0x0000000002E11000-memory.dmp

Filesize
324KB

Download
memory/1200-75-0x0000000002DC0000-0x0000000002E11000-memory.dmp

Filesize
324KB

Download
memory/1200-72-0x0000000002A40000-0x0000000002A56000-memory.dmp

Filesize
88KB

Download
memory/1200-76-0x0000000002D60000-0x0000000002D7A000-memory.dmp

Filesize
104KB

Download
memory/1200-68-0x00000000024E0000-0x0000000002522000-memory.dmp

Filesize
264KB

Download
memory/1200-69-0x00000000024E0000-0x0000000002522000-memory.dmp

Filesize
264KB

Download
memory/1224-107-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download
memory/2060-100-0x0000000000870000-0x00000000008A2000-memory.dmp

Filesize
200KB

Download
memory/2396-92-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/2396-99-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download
memory/2680-61-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download