asyncrat | 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb

Analysis

max time kernel
295s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27-06-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
Size

1.7MB
MD5

b7ca45674c6b8a24a6a71315e0e51397
SHA1

79516b1bd2227f08ff333b950dafb29707916828
SHA256

63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
SHA512

f390c2d017c041b60c57a67508341512785efbd25cb93a5c2849b4a5adb52931ea92eca7bbbef3e0cae0c919525770582e4c5e2518033c1c61542c0c2c1ebf2f
SSDEEP

24576:iRJSuMgl+JTBJ5aB3KoWWbHcXThtehTl5O9TLb:0IEFd/CTqR8P

Score

10^/10

asyncrat njrat stormkitty default hacked evasion persistence privilege_escalation rat stealer trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

194.26.192.92:5552

Mutex

3c34302470a14b537cf05fcc9ade517d

Attributes

reg_key
3c34302470a14b537cf05fcc9ade517d
splitter
|'|'|

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7095863454:AAFGhBQqJXY7rFzi0CT99qZPVRwQpKI6R1A/sendMessage?chat_id=7257613869

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty
StormKitty payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/4232-30-0x0000000000400000-0x0000000000432000-memory.dmp family_stormkitty
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

756 netsh.exe

resource	yara_rule
behavioral2/memory/4232-30-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

pid	process
756	netsh.exe

Drops startup file 1 IoCs

Processes:

63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe

Executes dropped EXE 2 IoCs

Processes:

Google Chrome sandbox.exe.exewindows defender (2).exe

pid process

4560 Google Chrome sandbox.exe.exe
3600 windows defender (2).exe

pid	process
4560	Google Chrome sandbox.exe.exe
3600	windows defender (2).exe

Drops desktop.ini file(s) 8 IoCs

Processes:

InstallUtil.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	InstallUtil.exe
File created	C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	InstallUtil.exe
File created	C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	InstallUtil.exe
File created	C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	InstallUtil.exe
File created	C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	InstallUtil.exe
File created	C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	InstallUtil.exe
File opened for modification	C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	InstallUtil.exe
File created	C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	InstallUtil.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

30 pastebin.com
29 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext 1 IoCs

Processes:

Google Chrome sandbox.exe.exe

description pid process target process

PID 4560 set thread context of 4232 4560 Google Chrome sandbox.exe.exe InstallUtil.exe

flow	ioc
30	pastebin.com
29	pastebin.com

flow	ioc
19	icanhazip.com

description	pid	process	target process
PID 4560 set thread context of 4232	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe

Drops file in Program Files directory 3 IoCs

Processes:

cmd.exeGoogle Chrome sandbox.exe.exe

description	ioc	process
File created	C:\Program Files (x86)\Google Chrome sandbox.exe.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Google Chrome sandbox.exe.exe	cmd.exe
File created	C:\Program Files (x86)\windows defender (2).exe	Google Chrome sandbox.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	InstallUtil.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2692 PING.EXE
3504 PING.EXE

pid	process
2692	PING.EXE
3504	PING.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exeGoogle Chrome sandbox.exe.exeInstallUtil.exe

pid	process
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
4560	Google Chrome sandbox.exe.exe
4560	Google Chrome sandbox.exe.exe
4560	Google Chrome sandbox.exe.exe
4560	Google Chrome sandbox.exe.exe
4560	Google Chrome sandbox.exe.exe
4232	InstallUtil.exe
4232	InstallUtil.exe
4232	InstallUtil.exe
4232	InstallUtil.exe
4232	InstallUtil.exe
4232	InstallUtil.exe
4232	InstallUtil.exe
4232	InstallUtil.exe
4232	InstallUtil.exe
4232	InstallUtil.exe
4232	InstallUtil.exe
4232	InstallUtil.exe
4232	InstallUtil.exe
4232	InstallUtil.exe
4232	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exeGoogle Chrome sandbox.exe.exewindows defender (2).exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
Token: SeDebugPrivilege	4560	Google Chrome sandbox.exe.exe
Token: SeDebugPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: SeDebugPrivilege	4232	InstallUtil.exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe
Token: 33	3600	windows defender (2).exe
Token: SeIncBasePriorityPrivilege	3600	windows defender (2).exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.execmd.exeGoogle Chrome sandbox.exe.exewindows defender (2).exeInstallUtil.execmd.execmd.exe

description	pid	process	target process
PID 2304 wrote to memory of 4680	2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe	cmd.exe
PID 2304 wrote to memory of 4680	2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe	cmd.exe
PID 2304 wrote to memory of 4680	2304	63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe	cmd.exe
PID 4680 wrote to memory of 2692	4680	cmd.exe	PING.EXE
PID 4680 wrote to memory of 2692	4680	cmd.exe	PING.EXE
PID 4680 wrote to memory of 2692	4680	cmd.exe	PING.EXE
PID 4680 wrote to memory of 3504	4680	cmd.exe	PING.EXE
PID 4680 wrote to memory of 3504	4680	cmd.exe	PING.EXE
PID 4680 wrote to memory of 3504	4680	cmd.exe	PING.EXE
PID 4680 wrote to memory of 4560	4680	cmd.exe	Google Chrome sandbox.exe.exe
PID 4680 wrote to memory of 4560	4680	cmd.exe	Google Chrome sandbox.exe.exe
PID 4680 wrote to memory of 4560	4680	cmd.exe	Google Chrome sandbox.exe.exe
PID 4560 wrote to memory of 3600	4560	Google Chrome sandbox.exe.exe	windows defender (2).exe
PID 4560 wrote to memory of 3600	4560	Google Chrome sandbox.exe.exe	windows defender (2).exe
PID 4560 wrote to memory of 3600	4560	Google Chrome sandbox.exe.exe	windows defender (2).exe
PID 3600 wrote to memory of 756	3600	windows defender (2).exe	netsh.exe
PID 3600 wrote to memory of 756	3600	windows defender (2).exe	netsh.exe
PID 3600 wrote to memory of 756	3600	windows defender (2).exe	netsh.exe
PID 4560 wrote to memory of 2856	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 2856	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 2856	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 2856	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 2856	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 2856	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 2856	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 2856	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 4232	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 4232	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 4232	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 4232	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 4232	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 4232	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 4232	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4560 wrote to memory of 4232	4560	Google Chrome sandbox.exe.exe	InstallUtil.exe
PID 4232 wrote to memory of 3772	4232	InstallUtil.exe	cmd.exe
PID 4232 wrote to memory of 3772	4232	InstallUtil.exe	cmd.exe
PID 4232 wrote to memory of 3772	4232	InstallUtil.exe	cmd.exe
PID 3772 wrote to memory of 432	3772	cmd.exe	chcp.com
PID 3772 wrote to memory of 432	3772	cmd.exe	chcp.com
PID 3772 wrote to memory of 432	3772	cmd.exe	chcp.com
PID 3772 wrote to memory of 3692	3772	cmd.exe	netsh.exe
PID 3772 wrote to memory of 3692	3772	cmd.exe	netsh.exe
PID 3772 wrote to memory of 3692	3772	cmd.exe	netsh.exe
PID 3772 wrote to memory of 3932	3772	cmd.exe	findstr.exe
PID 3772 wrote to memory of 3932	3772	cmd.exe	findstr.exe
PID 3772 wrote to memory of 3932	3772	cmd.exe	findstr.exe
PID 4232 wrote to memory of 4832	4232	InstallUtil.exe	cmd.exe
PID 4232 wrote to memory of 4832	4232	InstallUtil.exe	cmd.exe
PID 4232 wrote to memory of 4832	4232	InstallUtil.exe	cmd.exe
PID 4832 wrote to memory of 4624	4832	cmd.exe	chcp.com
PID 4832 wrote to memory of 4624	4832	cmd.exe	chcp.com
PID 4832 wrote to memory of 4624	4832	cmd.exe	chcp.com
PID 4832 wrote to memory of 3120	4832	cmd.exe	netsh.exe
PID 4832 wrote to memory of 3120	4832	cmd.exe	netsh.exe
PID 4832 wrote to memory of 3120	4832	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
"C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 42 > nul && copy "C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe" "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" && ping 127.0.0.1 -n 42 > nul && "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 42
3⤵
- Runs ping.exe
PID:2692

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 42
3⤵
- Runs ping.exe
PID:3504

C:\Program Files (x86)\Google Chrome sandbox.exe.exe
"C:\Program Files (x86)\Google Chrome sandbox.exe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560

C:\Program Files (x86)\windows defender (2).exe
"C:\Program Files (x86)\windows defender (2).exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Program Files (x86)\windows defender (2).exe" "windows defender (2).exe" ENABLE
5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
5⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:432

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
6⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3692

C:\Windows\SysWOW64\findstr.exe
findstr All
6⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
5⤵
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4624

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
6⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google Chrome sandbox.exe.exe
Filesize
1.7MB

MD5
b7ca45674c6b8a24a6a71315e0e51397

SHA1
79516b1bd2227f08ff333b950dafb29707916828

SHA256
63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb

SHA512
f390c2d017c041b60c57a67508341512785efbd25cb93a5c2849b4a5adb52931ea92eca7bbbef3e0cae0c919525770582e4c5e2518033c1c61542c0c2c1ebf2f

Download Submit
C:\Program Files (x86)\windows defender (2).exe
Filesize
37KB

MD5
71185c6ea449b6062eae832f6c5589ae

SHA1
94e783519f5a2011bb7ed000b8a9a038ce0ed675

SHA256
23e1e6534d9494648fd798356f5c16e223f3c8c1d5b1f33ce47757d54d4eac57

SHA512
972ac1fe01dd0963cb03d1379d845377ef2f5de777baf7b2ae97b98292293a96c519cbe8bd89c5a7797d0480bf6251955f9709d5ef7cd4490968af22a679f8cb

Download Submit
C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\System\Process.txt
Filesize
4KB

MD5
ad77d04b69a734defb35d513707e44f4

SHA1
c6a59eb124d29f30698d1503c326ff18ea684a53

SHA256
c0f31d85fd28a05ab229f1c408c0a4d1022b5e5d3f9db65a59ade1b7b1168486

SHA512
c590f76adf54056188f186a1858780d085e513ac3a386a2a1ddf807a0e3a620ec5615d931cd653d963ccb55232a2142689ec708d15dde1fe546acde7283a6ea4

Download Submit
C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\msgid.dat
Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/2304-6-0x0000000005C30000-0x0000000005C74000-memory.dmp

Filesize
272KB

Download
memory/2304-4-0x00000000053B0000-0x00000000058AE000-memory.dmp

Filesize
5.0MB

Download
memory/2304-7-0x0000000005EA0000-0x0000000005EAA000-memory.dmp

Filesize
40KB

Download
memory/2304-9-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-10-0x000000007393E000-0x000000007393F000-memory.dmp

Filesize
4KB

Download
memory/2304-11-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-13-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-5-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-1-0x0000000000320000-0x0000000000478000-memory.dmp

Filesize
1.3MB

Download
memory/2304-2-0x0000000004BA0000-0x0000000004C32000-memory.dmp

Filesize
584KB

Download
memory/2304-3-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

Filesize
624KB

Download
memory/2304-0-0x000000007393E000-0x000000007393F000-memory.dmp

Filesize
4KB

Download
memory/4232-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4232-31-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/4232-153-0x0000000005FA0000-0x0000000005FAA000-memory.dmp

Filesize
40KB

Download
memory/4232-159-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/4560-27-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4560-28-0x00000000072A0000-0x00000000072BA000-memory.dmp

Filesize
104KB

Download
memory/4560-29-0x0000000007880000-0x0000000007886000-memory.dmp

Filesize
24KB

Download
memory/4560-21-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4560-20-0x0000000001180000-0x00000000012D8000-memory.dmp

Filesize
1.3MB

Download
memory/4560-19-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download