Malware Analysis Report

2024-09-23 03:17

Sample ID 240701-fp7f8azgqk
Target 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
SHA256 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
Tags
asyncrat njrat stormkitty default hacked evasion persistence privilege_escalation rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb

Threat Level: Known bad

The file 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb was found to be: Known bad.

Malicious Activity Summary

asyncrat njrat stormkitty default hacked evasion persistence privilege_escalation rat stealer trojan

StormKitty payload

njRAT/Bladabindi

StormKitty

AsyncRat

Modifies Windows Firewall

Drops startup file

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up geolocation information via web service

Drops desktop.ini file(s)

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in Program Files directory

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-01 05:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-01 05:03

Reported

2024-07-01 05:09

Platform

win7-20240221-en

Max time kernel

297s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Program Files (x86)\windows defender (2).exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\23027d09db9badb50e9cbe9ac3b64f57\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\23027d09db9badb50e9cbe9ac3b64f57\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\23027d09db9badb50e9cbe9ac3b64f57\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\23027d09db9badb50e9cbe9ac3b64f57\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\23027d09db9badb50e9cbe9ac3b64f57\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\23027d09db9badb50e9cbe9ac3b64f57\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1016 set thread context of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files (x86)\windows defender (2).exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2428 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2428 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2428 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2428 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2428 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2428 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2428 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2428 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 2428 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 2428 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 2428 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 1016 wrote to memory of 1976 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 1016 wrote to memory of 1976 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 1016 wrote to memory of 1976 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 1016 wrote to memory of 1976 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 1976 wrote to memory of 1972 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 1976 wrote to memory of 1972 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 1976 wrote to memory of 1972 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 1976 wrote to memory of 1972 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 1016 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1016 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1016 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1016 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1016 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1016 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1016 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1016 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1016 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1016 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1016 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1016 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2376 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2560 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2560 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2560 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2560 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2560 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2560 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2560 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2560 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2560 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2560 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2560 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2376 wrote to memory of 2464 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2464 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2464 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2464 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2464 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2464 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2464 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2464 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2464 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2464 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2464 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe

"C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe" "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 43

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 43

C:\Program Files (x86)\Google Chrome sandbox.exe.exe

"C:\Program Files (x86)\Google Chrome sandbox.exe.exe"

C:\Program Files (x86)\windows defender (2).exe

"C:\Program Files (x86)\windows defender (2).exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Program Files (x86)\windows defender (2).exe" "windows defender (2).exe" ENABLE

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
NL 194.26.192.92:5552 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/2124-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

memory/2124-1-0x0000000000E80000-0x0000000000FD8000-memory.dmp

memory/2124-2-0x0000000074B60000-0x000000007524E000-memory.dmp

memory/2124-3-0x0000000004600000-0x0000000004644000-memory.dmp

memory/2124-5-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

memory/2124-6-0x0000000074B60000-0x000000007524E000-memory.dmp

memory/2124-7-0x0000000074B60000-0x000000007524E000-memory.dmp

\Program Files (x86)\Google Chrome sandbox.exe.exe

MD5 b7ca45674c6b8a24a6a71315e0e51397
SHA1 79516b1bd2227f08ff333b950dafb29707916828
SHA256 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
SHA512 f390c2d017c041b60c57a67508341512785efbd25cb93a5c2849b4a5adb52931ea92eca7bbbef3e0cae0c919525770582e4c5e2518033c1c61542c0c2c1ebf2f

memory/1016-18-0x0000000001220000-0x0000000001378000-memory.dmp

memory/1016-19-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/1016-20-0x0000000074B10000-0x00000000751FE000-memory.dmp

\Program Files (x86)\windows defender (2).exe

MD5 71185c6ea449b6062eae832f6c5589ae
SHA1 94e783519f5a2011bb7ed000b8a9a038ce0ed675
SHA256 23e1e6534d9494648fd798356f5c16e223f3c8c1d5b1f33ce47757d54d4eac57
SHA512 972ac1fe01dd0963cb03d1379d845377ef2f5de777baf7b2ae97b98292293a96c519cbe8bd89c5a7797d0480bf6251955f9709d5ef7cd4490968af22a679f8cb

memory/1016-28-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/1016-29-0x0000000000C70000-0x0000000000C8A000-memory.dmp

memory/1016-30-0x0000000000C90000-0x0000000000C96000-memory.dmp

memory/2376-33-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2376-31-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2376-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2376-37-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2376-35-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2376-40-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2376-42-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2376-41-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\af504c90833bdfb1884cb467bcb35e48\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-01 05:03

Reported

2024-07-01 05:09

Platform

win10-20240404-en

Max time kernel

297s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Program Files (x86)\windows defender (2).exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\dd7fbfa4fb92fcba2cfb9b1c9bcd43cc\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\dd7fbfa4fb92fcba2cfb9b1c9bcd43cc\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\dd7fbfa4fb92fcba2cfb9b1c9bcd43cc\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\dd7fbfa4fb92fcba2cfb9b1c9bcd43cc\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\dd7fbfa4fb92fcba2cfb9b1c9bcd43cc\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\dd7fbfa4fb92fcba2cfb9b1c9bcd43cc\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\dd7fbfa4fb92fcba2cfb9b1c9bcd43cc\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\dd7fbfa4fb92fcba2cfb9b1c9bcd43cc\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2988 set thread context of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files (x86)\windows defender (2).exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3796 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2212 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2212 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2212 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2212 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2212 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2212 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 2212 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 2212 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 2988 wrote to memory of 2384 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 2988 wrote to memory of 2384 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 2988 wrote to memory of 2384 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 2384 wrote to memory of 1360 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 2384 wrote to memory of 1360 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 2384 wrote to memory of 1360 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 2988 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2988 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2988 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2988 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2988 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2988 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2988 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2988 wrote to memory of 2376 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2376 wrote to memory of 3036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 3036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 3036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3036 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3036 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3036 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3036 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3036 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3036 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3036 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3036 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2376 wrote to memory of 348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 348 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 348 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 348 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 348 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 348 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 348 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe

"C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 37 > nul && copy "C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe" "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" && ping 127.0.0.1 -n 37 > nul && "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 37

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 37

C:\Program Files (x86)\Google Chrome sandbox.exe.exe

"C:\Program Files (x86)\Google Chrome sandbox.exe.exe"

C:\Program Files (x86)\windows defender (2).exe

"C:\Program Files (x86)\windows defender (2).exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Program Files (x86)\windows defender (2).exe" "windows defender (2).exe" ENABLE

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
NL 194.26.192.92:5552 tcp
US 8.8.8.8:53 92.192.26.194.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/3796-0-0x000000007407E000-0x000000007407F000-memory.dmp

memory/3796-1-0x0000000000E70000-0x0000000000FC8000-memory.dmp

memory/3796-2-0x0000000005270000-0x0000000005302000-memory.dmp

memory/3796-3-0x0000000005310000-0x00000000053AC000-memory.dmp

memory/3796-4-0x00000000058B0000-0x0000000005DAE000-memory.dmp

memory/3796-5-0x0000000074070000-0x000000007475E000-memory.dmp

memory/3796-6-0x0000000006210000-0x0000000006254000-memory.dmp

memory/3796-7-0x00000000064D0000-0x00000000064DA000-memory.dmp

memory/3796-9-0x0000000074070000-0x000000007475E000-memory.dmp

memory/3796-10-0x000000007407E000-0x000000007407F000-memory.dmp

memory/3796-11-0x0000000074070000-0x000000007475E000-memory.dmp

memory/3796-13-0x0000000074070000-0x000000007475E000-memory.dmp

C:\Program Files (x86)\Google Chrome sandbox.exe.exe

MD5 b7ca45674c6b8a24a6a71315e0e51397
SHA1 79516b1bd2227f08ff333b950dafb29707916828
SHA256 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
SHA512 f390c2d017c041b60c57a67508341512785efbd25cb93a5c2849b4a5adb52931ea92eca7bbbef3e0cae0c919525770582e4c5e2518033c1c61542c0c2c1ebf2f

memory/2988-19-0x0000000074040000-0x000000007472E000-memory.dmp

memory/2988-20-0x0000000000220000-0x0000000000378000-memory.dmp

memory/2988-21-0x0000000074040000-0x000000007472E000-memory.dmp

C:\Program Files (x86)\windows defender (2).exe

MD5 71185c6ea449b6062eae832f6c5589ae
SHA1 94e783519f5a2011bb7ed000b8a9a038ce0ed675
SHA256 23e1e6534d9494648fd798356f5c16e223f3c8c1d5b1f33ce47757d54d4eac57
SHA512 972ac1fe01dd0963cb03d1379d845377ef2f5de777baf7b2ae97b98292293a96c519cbe8bd89c5a7797d0480bf6251955f9709d5ef7cd4490968af22a679f8cb

memory/2988-27-0x0000000074040000-0x000000007472E000-memory.dmp

memory/2988-28-0x00000000076A0000-0x00000000076BA000-memory.dmp

memory/2988-29-0x0000000007C60000-0x0000000007C66000-memory.dmp

memory/2376-30-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2376-31-0x0000000005480000-0x00000000054E6000-memory.dmp

C:\Users\Admin\AppData\Local\dd7fbfa4fb92fcba2cfb9b1c9bcd43cc\Admin@FCXHTLHL_en-US\System\Process.txt

MD5 db846d4d125548101dae75f1eedd142a
SHA1 716c63dba99b4239826455674e43fe1a424655ce
SHA256 da8c1abf8591c2641fb4529b1771769c2344157600524bf50c66d9a46533c691
SHA512 269ccb63faa0eedc05fc338ba781e2479bff416b27c6c4d11a7fb2f937d2917235bdeae5c76dca9df873fd7909b2d279c3b78d5958d0d9cd662ff3dc03abedb3

memory/2376-152-0x0000000006200000-0x000000000620A000-memory.dmp

C:\Users\Admin\AppData\Local\e4a0d2ea7974b7b06d69c7d68cb237c2\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2376-158-0x0000000006B00000-0x0000000006B12000-memory.dmp