Malware Analysis Report

2025-01-03 06:46

Sample ID 230817-v1mnhsch4v
Target ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3
SHA256 ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3
Tags
asyncrat stormkitty default persistence rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3

Threat Level: Known bad

The file ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3 was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default persistence rat stealer

StormKitty payload

StormKitty

Modifies WinLogon for persistence

AsyncRat

Async RAT payload

Executes dropped EXE

Looks up geolocation information via web service

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-17 17:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-17 17:27

Reported

2023-08-17 17:30

Platform

win10-20230703-en

Max time kernel

126s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe"

Signatures

AsyncRat

rat asyncrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\lignt syst.exe," C:\Windows\system32\reg.exe N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\lignt syst.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4060 set thread context of 3824 N/A C:\Users\Admin\AppData\Roaming\lignt syst.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\lignt syst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\lignt syst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\lignt syst.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lignt syst.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe C:\Windows\SYSTEM32\cmd.exe
PID 5096 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe C:\Windows\SYSTEM32\cmd.exe
PID 4160 wrote to memory of 1112 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4160 wrote to memory of 1112 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 5096 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe C:\Windows\SYSTEM32\cmd.exe
PID 5096 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe C:\Windows\SYSTEM32\cmd.exe
PID 4460 wrote to memory of 408 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4460 wrote to memory of 408 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4160 wrote to memory of 3524 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 4160 wrote to memory of 3524 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\reg.exe
PID 4460 wrote to memory of 3560 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4460 wrote to memory of 3560 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4460 wrote to memory of 4060 N/A C:\Windows\SYSTEM32\cmd.exe C:\Users\Admin\AppData\Roaming\lignt syst.exe
PID 4460 wrote to memory of 4060 N/A C:\Windows\SYSTEM32\cmd.exe C:\Users\Admin\AppData\Roaming\lignt syst.exe
PID 4060 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Roaming\lignt syst.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 4060 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Roaming\lignt syst.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 4060 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Roaming\lignt syst.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 4060 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Roaming\lignt syst.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 4060 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Roaming\lignt syst.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 4060 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Roaming\lignt syst.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 3824 wrote to memory of 4928 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\SYSTEM32\cmd.exe
PID 3824 wrote to memory of 4928 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\SYSTEM32\cmd.exe
PID 4928 wrote to memory of 3868 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4928 wrote to memory of 3868 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4928 wrote to memory of 4512 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4928 wrote to memory of 4512 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4928 wrote to memory of 1372 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4928 wrote to memory of 1372 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 3824 wrote to memory of 860 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\SYSTEM32\cmd.exe
PID 3824 wrote to memory of 860 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\SYSTEM32\cmd.exe
PID 860 wrote to memory of 4648 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 860 wrote to memory of 4648 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 860 wrote to memory of 4932 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 860 wrote to memory of 4932 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe

"C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\lignt syst.exe,"

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 7

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c ping 127.0.0.1 -n 16 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3.exe" "C:\Users\Admin\AppData\Roaming\lignt syst.exe" && ping 127.0.0.1 -n 16 > nul && "C:\Users\Admin\AppData\Roaming\lignt syst.exe"

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 16

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\lignt syst.exe,"

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 16

C:\Users\Admin\AppData\Roaming\lignt syst.exe

"C:\Users\Admin\AppData\Roaming\lignt syst.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
AT 185.106.94.122:4449 tcp
US 8.8.8.8:53 122.94.106.185.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
AT 185.106.94.122:4449 tcp
AT 185.106.94.122:4449 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/5096-117-0x0000000000F60000-0x0000000000FD6000-memory.dmp

memory/5096-118-0x00000000043F0000-0x0000000004DDC000-memory.dmp

memory/5096-119-0x0000000024CA0000-0x0000000024CB0000-memory.dmp

memory/5096-120-0x0000000028110000-0x0000000028152000-memory.dmp

memory/5096-122-0x0000000000AA0000-0x0000000000B03000-memory.dmp

memory/5096-123-0x0000000000B10000-0x0000000000BBE000-memory.dmp

memory/5096-124-0x00000000016C0000-0x0000000001909000-memory.dmp

memory/5096-125-0x00000000013E0000-0x000000000145E000-memory.dmp

memory/5096-126-0x0000000001460000-0x0000000001501000-memory.dmp

memory/5096-127-0x0000000001510000-0x00000000015AD000-memory.dmp

memory/5096-129-0x0000000001DD0000-0x0000000001EF5000-memory.dmp

memory/5096-130-0x0000000002370000-0x000000000240C000-memory.dmp

memory/5096-128-0x0000000001D10000-0x0000000001D69000-memory.dmp

memory/5096-132-0x0000000002410000-0x0000000002709000-memory.dmp

memory/5096-133-0x0000000002300000-0x0000000002327000-memory.dmp

memory/5096-134-0x0000000002710000-0x000000000285A000-memory.dmp

memory/5096-135-0x0000000002860000-0x0000000002956000-memory.dmp

memory/5096-136-0x0000000002960000-0x00000000029CA000-memory.dmp

memory/5096-138-0x00000000029D0000-0x0000000002B59000-memory.dmp

memory/5096-137-0x0000000002330000-0x000000000234E000-memory.dmp

memory/5096-141-0x00000000043D0000-0x00000000043E1000-memory.dmp

memory/5096-140-0x0000000002E10000-0x0000000002E3D000-memory.dmp

memory/5096-142-0x0000000002350000-0x000000000235A000-memory.dmp

memory/5096-139-0x0000000002B60000-0x0000000002BFA000-memory.dmp

memory/5096-143-0x00000000043F0000-0x0000000004DDC000-memory.dmp

memory/5096-144-0x0000000004E40000-0x0000000004F37000-memory.dmp

memory/5096-145-0x000000001F680000-0x000000001F7C3000-memory.dmp

memory/5096-147-0x000000001F970000-0x000000001FA9C000-memory.dmp

memory/5096-146-0x000000001F7D0000-0x000000001F865000-memory.dmp

memory/5096-131-0x0000000001D70000-0x0000000001DC1000-memory.dmp

memory/5096-148-0x0000000022E70000-0x00000000242A7000-memory.dmp

memory/5096-149-0x000000001F870000-0x000000001F8B9000-memory.dmp

memory/5096-150-0x00000000242B0000-0x000000002435A000-memory.dmp

memory/5096-151-0x0000000024360000-0x0000000024A52000-memory.dmp

memory/5096-153-0x000000001F8C0000-0x000000001F8D5000-memory.dmp

memory/5096-154-0x0000000024AB0000-0x0000000024AD5000-memory.dmp

memory/5096-155-0x0000000024AE0000-0x0000000024AF7000-memory.dmp

memory/5096-156-0x0000000024BB0000-0x0000000024BE4000-memory.dmp

memory/5096-152-0x0000000024A60000-0x0000000024AAC000-memory.dmp

memory/5096-158-0x0000000024CB0000-0x0000000024D56000-memory.dmp

memory/5096-157-0x0000000024BF0000-0x0000000024BFB000-memory.dmp

memory/5096-159-0x0000000024C70000-0x0000000024C9A000-memory.dmp

memory/5096-160-0x0000000024E20000-0x0000000024F86000-memory.dmp

memory/5096-161-0x0000000024F90000-0x000000002504F000-memory.dmp

memory/5096-162-0x0000000025050000-0x00000000251E5000-memory.dmp

memory/5096-163-0x0000000025640000-0x0000000025900000-memory.dmp

memory/5096-164-0x0000000026590000-0x00000000268BE000-memory.dmp

memory/5096-165-0x00000000268C0000-0x0000000026B46000-memory.dmp

memory/5096-166-0x0000000026B50000-0x0000000026B80000-memory.dmp

memory/5096-167-0x0000000026B80000-0x0000000026BEC000-memory.dmp

memory/5096-168-0x0000000026BF0000-0x0000000026C0B000-memory.dmp

memory/5096-169-0x0000000026C10000-0x0000000026C47000-memory.dmp

memory/5096-172-0x0000000025AD0000-0x0000000025AD8000-memory.dmp

memory/5096-170-0x0000000026C50000-0x0000000026D27000-memory.dmp

memory/5096-171-0x0000000027130000-0x000000002718C000-memory.dmp

memory/5096-173-0x0000000027190000-0x000000002719B000-memory.dmp

memory/5096-174-0x0000000027EA0000-0x0000000027EB4000-memory.dmp

memory/5096-175-0x0000000027EC0000-0x0000000028089000-memory.dmp

memory/5096-176-0x0000000028090000-0x00000000280E6000-memory.dmp

memory/5096-177-0x00000000280F0000-0x0000000028101000-memory.dmp

memory/5096-179-0x0000000028210000-0x00000000283BC000-memory.dmp

memory/5096-178-0x0000000028180000-0x0000000028188000-memory.dmp

memory/5096-180-0x0000000028720000-0x00000000287BE000-memory.dmp

C:\Users\Admin\AppData\Roaming\lignt syst.exe

MD5 3165e5045b93dd77931c69b373226483
SHA1 c4652b4087ef45c0ff18f7f01922905bdeb0ffe7
SHA256 ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3
SHA512 07e9821f3ae56b32d6ba6fed9db634c9f5041d2f5c3279f9596dbdb38d8e2d77c8a42a078ef527c8bf87a528fe6f66947098280e2c8d1e8dba5539a8a26e99de

C:\Users\Admin\AppData\Roaming\lignt syst.exe

MD5 3165e5045b93dd77931c69b373226483
SHA1 c4652b4087ef45c0ff18f7f01922905bdeb0ffe7
SHA256 ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3
SHA512 07e9821f3ae56b32d6ba6fed9db634c9f5041d2f5c3279f9596dbdb38d8e2d77c8a42a078ef527c8bf87a528fe6f66947098280e2c8d1e8dba5539a8a26e99de

memory/4060-186-0x0000000000F40000-0x0000000000FB6000-memory.dmp

memory/4060-187-0x0000000004010000-0x00000000049FC000-memory.dmp

memory/4060-188-0x0000000024130000-0x0000000024140000-memory.dmp

memory/4060-189-0x0000000028C80000-0x0000000028C9A000-memory.dmp

memory/4060-190-0x00000000290C0000-0x00000000290C6000-memory.dmp

memory/4060-191-0x0000000004010000-0x00000000049FC000-memory.dmp

memory/4060-192-0x00000000006C0000-0x0000000000723000-memory.dmp

memory/4060-193-0x0000000000730000-0x00000000007DE000-memory.dmp

memory/4060-194-0x0000000001290000-0x00000000014D9000-memory.dmp

memory/4060-195-0x0000000001000000-0x000000000107E000-memory.dmp

memory/4060-196-0x00000000014E0000-0x0000000001581000-memory.dmp

memory/4060-251-0x0000000024130000-0x0000000024140000-memory.dmp

memory/3824-375-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3824-376-0x00007FFF31030000-0x00007FFF31A1C000-memory.dmp

memory/3824-384-0x00000269C4830000-0x00000269C4840000-memory.dmp

memory/4060-435-0x0000000004010000-0x00000000049FC000-memory.dmp

memory/3824-436-0x00007FFF4DEB0000-0x00007FFF4E08B000-memory.dmp

memory/3824-440-0x00000269C4830000-0x00000269C4840000-memory.dmp

memory/3824-439-0x00000269C4830000-0x00000269C4840000-memory.dmp

memory/3824-442-0x00007FFF31030000-0x00007FFF31A1C000-memory.dmp

memory/3824-443-0x00000269C4BF0000-0x00000269C4C66000-memory.dmp

memory/3824-444-0x00000269C4C70000-0x00000269C4D92000-memory.dmp

memory/3824-445-0x00000269ABCE0000-0x00000269ABCFE000-memory.dmp

memory/3824-446-0x00000269C4830000-0x00000269C4840000-memory.dmp

memory/3824-447-0x00000269C4D90000-0x00000269C4EC4000-memory.dmp

memory/3824-448-0x00000269ABE70000-0x00000269ABE7A000-memory.dmp

memory/3824-472-0x00000269C52C0000-0x00000269C52E2000-memory.dmp

memory/3824-473-0x00007FFF4DEB0000-0x00007FFF4E08B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFEA6.tmp.dat

MD5 dcac7589c66728ce87f51aea48746c0c
SHA1 8bf1e0ddd49c658154017b4efd781b35f2c2b3e5
SHA256 41d3cff236378944c160e16cb500f69df28b7b962b9a4f768de1ace20486b2fe
SHA512 3be051430ffdd638dc0c44876fb4595588d1248bae3623782f02e1eca5b33ad89c33dfa03c3c9ed1fbb434b3237bd810283a4cc3924f4af07b5ac6e0c5b0fad6

C:\Users\Admin\AppData\Local\Temp\tmpFEB8.tmp.dat

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\Users\Admin\AppData\Local\296a85e6e23dcd3bb3d834ed3182be3c\Admin@MCPGVJNB_en-US\System\Process.txt

MD5 5623e66668bb26727a2013cb157ff285
SHA1 5a5e29564e0df99a2f2a5da4ba152e6d63a29731
SHA256 dc839d3bdf975426b2644db390d374de9c05e4a4ebb02c3f216b7157e6723471
SHA512 da520708193e0ba7d4a7aa9982b6da7f68e44c02e53aa7aa5362a2792a3a30f8bf67b8397bfccbaa602b58fde4b39ee74a10dc19f98e735ca411beb782fafe85

memory/3824-566-0x00000269C4830000-0x00000269C4840000-memory.dmp

memory/3824-568-0x00000269C4830000-0x00000269C4840000-memory.dmp

memory/3824-570-0x00000269C5350000-0x00000269C53CA000-memory.dmp

memory/3824-610-0x00000269C53D0000-0x00000269C5454000-memory.dmp

C:\Users\Admin\AppData\Local\296a85e6e23dcd3bb3d834ed3182be3c\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99