Malware Analysis Report

2024-10-23 19:20

Sample ID 231004-b7zf4sad28
Target 5c206519b44d99681aa637386f513175572ec510e83ef24590f5310fd41f373c
SHA256 5c206519b44d99681aa637386f513175572ec510e83ef24590f5310fd41f373c
Tags
asyncrat default rat stealerium stormkitty collection stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c206519b44d99681aa637386f513175572ec510e83ef24590f5310fd41f373c

Threat Level: Known bad

The file 5c206519b44d99681aa637386f513175572ec510e83ef24590f5310fd41f373c was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat stealerium stormkitty collection stealer

AsyncRat

StormKitty

StormKitty payload

Stealerium

Async RAT payload

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

Program crash

outlook_win_path

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-04 01:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-04 01:47

Reported

2023-10-04 01:50

Platform

win7-20230831-en

Max time kernel

142s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1368 set thread context of 1200 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50f1bee164f6d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b0000000002000000000010660000000100002000000008649939f06d0bfd77aa18918e8cfa706b10d4ae083e2fc63b378e756bbaa7e6000000000e800000000200002000000076d073aef7ca11285494fe06405640e42864295736725929bf6ca61ececd0aec9000000066efff5b086e22b38e7dea619575c45f49319fa0128a25b2ebcfb1528079a4a9ee1e34ab4806df7ec818c143e1bfb010a72f99a13b4251ed87b9e5363544fe2b9a75842bff0ee855b0c94ece8e4a351ed703b0a29b101f6a7a6794ee5c3d3fafcf33443bdf109eca89ad9ae6a3727acaff9f2694fe6d624bfb77c4d212e8180673e5b50efd8b83b2c20438879746c5c840000000bb29e7f25db1707a6566286729de0f02573a5ce6420393a92adcd0c2b9d63784b3683656c20e2619af29617fd711df851a1b3f8054ad904fc441f41c0333af85 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0C6C6AE1-6258-11EE-8877-7200988DF339} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000a4ea516fac787c1f0a61389296145b1b0e7053dd6463a489812a6e09f8369ed1000000000e8000000002000020000000ec61145ae031d89b07069b9e3c7fdc7372901593e778d1e357b17652277649a120000000f5de8963d71414b36e53343bd5d868d8378520edf3926b83b0bc09edbaaa9a644000000066f6b260af913a30e07c616d8db7fa29f02891cb1a185b3b42de5f80dc4e5e466f5d75b9bea1f0671dad78f234c1eb1152daece728f776192dde77732b781226 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402545949" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 1368 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 1368 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 1368 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 1368 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 1368 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 1368 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 1368 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 1368 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 1200 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1200 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1200 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1200 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2660 wrote to memory of 2852 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2660 wrote to memory of 2852 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2660 wrote to memory of 2852 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2660 wrote to memory of 2852 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe

"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1368-0-0x0000000000160000-0x0000000000190000-memory.dmp

memory/1368-1-0x0000000074AF0000-0x00000000751DE000-memory.dmp

memory/1368-2-0x0000000004640000-0x0000000004680000-memory.dmp

memory/1368-3-0x00000000004B0000-0x00000000004D8000-memory.dmp

memory/1368-4-0x0000000000580000-0x000000000059A000-memory.dmp

memory/1200-5-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1200-7-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1200-9-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1368-10-0x0000000074AF0000-0x00000000751DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6E2F.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar6F1E.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f54bb4c86fb49b638d4d352c5ced24fa
SHA1 e05a42d973943d4385880b6da641ccbda1654eff
SHA256 ea2a78c5e090eaa114e1258e2ad0dda9f6f4f13081178946f0c6e6d853bd9727
SHA512 1badfdaac128525a4e65bbcf39b8e527aa1b01b28af403d30af9873f25a05c0efcf386964fe96fda7a2da960293833260639bf4bf0ba30bba33dd626afdfc05f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ace79420c8049399bbf5114f5a69a93
SHA1 934947c4faa91cd567b42f150452341222f57502
SHA256 ab831285c2cd9523a2a34fe0d4d1dd3918f6eb47609dfdf1960a7b129c5bb1d4
SHA512 6fd674823947e5ea88f5ee7ae8f38acc44eb75e5cfa5f5a4c53ce7ecc97c4325779ade65c3418a5d887e926ce67d2fa9476a423696ade22fc5a459aa1ef3dc6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0cdd6ee36f188b92db38740d05c7577b
SHA1 f044cb89b2a3699adc06206a47876f9d4e047a58
SHA256 8a97340ad2d2d238744d7a477dd1270d6799b23904ac28b701afcd803e852b83
SHA512 2269561ea830bc1323b950b1df6c0866cef252f55907759fb447c262af5007e792fcd28285e40c70f8ad64073edc91ee742591fc5ec70aaca0e6f4c4bd41af29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9fc8204e92f1bb31f00b8a19a499b1a
SHA1 a30ad565f4a36869da1644188723d4556e142c9d
SHA256 bda7a3b1cce197526432cff97f6c83a0c31064b81c279b4c580563fe0e56e3db
SHA512 14a5fd177bda328a96282b8b79098dcd6899136d38791cb9869685be7846b66cc8a38212dbcf04f6fd0785355107c5cfb5ab2f330ba6c6b5411cc2304219c4f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ca9070146931dbd4612304547deb3de
SHA1 ed23cba466efc38ea95f86807aebea4752bdd0fe
SHA256 b979622c9f9297a7390b2f9d95db6639883c696da837928ceef763317b848769
SHA512 a492b00f5fed2adc4866e9a98fc7288b4499c05b285cd31bca3a19e5196fd32318cbc9e6722cbd2950ab4f72e5841c7faaac948695e9d2eeee19c59888d481f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a339cb58715c86ca3036332cb5898cd
SHA1 3ffdc69fe9e84d9b2985c276b6bc4141bcb4724f
SHA256 443aa6f14679bc42314abebe329a5158ded709dbc49f311c44335e40a81f1368
SHA512 d2a92646f46efce78701528450cecc9e45526b5b998a91a20b23386b83ff55eff9789cced4a5f9f84c5e69285c24cbb3aad7a91fa669857d1df65ea570400f66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72d9fd08f8bf627c8d2ab88b6c176969
SHA1 85848a3531a1cfb2f24e7982353ae6aad77546b8
SHA256 faf33d28c755a3ed088a224865329a034d945c973790627d1b910c0f4f9e8abc
SHA512 8db10df8901b85f16f2847349085569f8b936f9852076da864f77b911503f8d2a144aca0bb30d8df22e71ef24e883c42f242c5df6c2a025606ff5cdaa8420875

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 930bd4356417732d96d5603e734dc02b
SHA1 62893fa6f4efdbcd996d958686fa6e076964f2d7
SHA256 1e0abcaeb341bae212f56a6e292299cdcda4438a6fd0ebe77b0aba29af6e79c3
SHA512 288cf38c865aebad3d1ce94d716ca558a029ac255c96e0a517cda0b33ad530eb08bfc874866910bdbdcbdebbc6e69edee021cf23c2b87a66ff2c2dbe1125e782

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3b62cfb5095984ae744d10012ab8af6
SHA1 7b23886a196e06db66bcb253ff4a245eb091852d
SHA256 e452a2a2ca5b6dc6e5a506f71ef8e494daeb66c1200f0ddd1bae6f7121ebfc3d
SHA512 0447be44e4dd4d32c37fe0f41ac1882ae4be0f3596510265991c153e9354e527e70b2cf9c53413fe36d9d186975acb0356aa49e7adc4a1f5462b860db21fcc30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2239d812c70709414dc78a95226ad191
SHA1 259eebd87572a5d30613fe1aae1288939fa2b287
SHA256 923ea01ff21fd74e00d98f7928ba2569aa8cf48faacb98b6db0854b29dba85b3
SHA512 285a484dc274609b1d709d810d301cc73284da34b7d287c10e97685727bc9dcc187b4a657c219e2ab3feb53b36c754915c2b554ee17bc21e96111c22dfcee46d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a9aadb27863aa8977d2fdfe97d118c1
SHA1 323ecab0b72d92cf698c6ec31ab16123cd3bec1f
SHA256 c72eb2c60badfe4de71cc7e79d72409c21265ace722d19959a7ee669632a8783
SHA512 d274fe63855fbcaac1aca60a301e8af68d4ee8a844d7bb7128f02e1b4239de1e26d691b5bc371db44540462c7c8d79c4c862086ea2a23d610521f6f24cac4da9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb16ee1e0909e2a67a0ee044c55489a5
SHA1 5f92483c6db9c98dc3732784d5422ec814d0c702
SHA256 2f2061faa14e02b18c3fef74fa1806e5f0405aa7a19af28f16df3c9e0361af48
SHA512 cba0a189ff30608017895f834e174ded27be7b6960116d5dd95924006aedc1febf44db9b5187ad0c3e2dd689e0bf22ddcb1bc5697cde22772e4f2eb41888d0f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e4ac3b6ce3e13fcded1969496b61254
SHA1 3ed53a415de2a141f93a5d5d6cddb34653a7cbdc
SHA256 c96aac358357561d07651727b95a268585020d550df42a9f33d728eeb16a231d
SHA512 b88263cb18458a437ba05204e873bc476008b28b904039a287adf348386a407de1284d0c0f2fefe02dcb986a650c09023044369ee7605aaf379adc33660e577e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cbf9c2dbb20464245a098d6046890d9
SHA1 e9d26d99caea088579a0e639359e0f36efa229e2
SHA256 41d213e787588a6149a23ad82ece82895a9ae9bd450e828b9e75b05e993eadec
SHA512 4ae0bd62f232bddd89982acc48e3ff225cd2b7bd272a119376b87812e55f0f92876bbafd902417ed49344a10890703f38696c6c40fa283619841b6db076eaab7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 663e83b10f50894d3815a55ddb70663d
SHA1 db7bbbde5e4b805add8c9cb73a216d1f5957136a
SHA256 a6b104d47469c309a803e8010385241cc6dd4f9948e037cb92215b392c962caa
SHA512 104b7b6269f57bd355abed38cd8093bc369d5e4bf31c601d5a7e469ca36a8ac104da669d60948e6d0443c3da1cd2c788fd1f4eb75f6f1fe48151a6abbd0420cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40708b0eb6eab6975151c12d52ef84f3
SHA1 fa5b3a4ea5bf8acca85f6205f85e76e09fca9707
SHA256 6517cbc333014b43bff637bb300220d18b570c7d849fad5b37ed4e1742218b48
SHA512 0b89448fdcdc6204216bc22c04cb4247b0cf65553952b639e5592307da9e1a3aed136ef55fa7b124ed5be1a4c81a132b35c8e615fac5f17d4df48cba3b5aeb15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18069ab3a443e6fde608861d2e99ec2c
SHA1 57668c998392ed349c153b0ec7a84544733e4d71
SHA256 7ab0ba901c28271918f5e393e5aa36160b72459388843ace7ff910113245a1e6
SHA512 7951362f64ec1e1314d137d13b7c6bd398e252ca4b37488727a179dc25f50b3f3f7ba451782caff933c7a265cc891f78c1ecbe15890ad6b7ba8da3fa32ae4e8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d440b9321eb35150cc78baeae3b2fa6a
SHA1 fd3fee950e273fee1fba632a50fc15c03642b048
SHA256 7be056c0174197075ca15fb6730b9fc1158de729e0cfa4fbb430129c20173c6a
SHA512 6d2fbfcf24a66510f99453539179067750402bfd44e66e96b29b08037bf6103b748f31955981758d085fa2cdf901346404b7e3b0d361a01de4e8a7ec1949949d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5eeafa9136ffedda531d8ca4d17b8bf
SHA1 745f8c4665e0fe8396df3b6d3ff0b1ff7494ebb7
SHA256 ea627d0c3fa5397a665265c533362fa70a78a416103a2b0c0b1470b6d2d7b36d
SHA512 59ad96ed16acb3bb21167c9e93f77f1e3af9bbccdbd8ba192a8e6752832048503c9a7e1b73c617638d745573b0476f12e05e791ae2b640e5520b6025d217f416

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-04 01:47

Reported

2023-10-04 01:50

Platform

win10v2004-20230915-en

Max time kernel

136s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"

Signatures

AsyncRat

rat asyncrat

Stealerium

stealer stealerium

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3736 set thread context of 1156 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3736 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3736 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3736 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3736 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe
PID 3736 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe
PID 3736 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3736 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3736 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3736 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
PID 3736 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
PID 3736 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3736 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3736 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3736 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3736 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3736 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3736 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3736 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1156 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2756 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2756 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2756 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2756 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2756 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2756 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2756 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2756 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1156 wrote to memory of 5012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 5012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 5012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5012 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5012 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5012 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5012 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5012 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe

"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1156 -ip 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 3140

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 10.127.0.118:9346 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
DE 79.134.225.113:9346 tcp
US 8.8.8.8:53 113.225.134.79.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
DE 79.134.225.113:9346 tcp
DE 79.134.225.113:9346 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/3736-0-0x0000000000890000-0x00000000008C0000-memory.dmp

memory/3736-1-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/3736-2-0x00000000057E0000-0x0000000005D84000-memory.dmp

memory/3736-3-0x00000000052D0000-0x0000000005362000-memory.dmp

memory/3736-4-0x0000000005370000-0x000000000540C000-memory.dmp

memory/3736-5-0x0000000005270000-0x0000000005280000-memory.dmp

memory/3736-6-0x0000000005280000-0x000000000528A000-memory.dmp

memory/3736-7-0x00000000055B0000-0x00000000055D8000-memory.dmp

memory/3736-8-0x0000000005620000-0x000000000563A000-memory.dmp

memory/1156-9-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1156-11-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/3736-12-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/1156-13-0x0000000005350000-0x0000000005360000-memory.dmp

memory/1156-14-0x00000000771F1000-0x00000000771F2000-memory.dmp

memory/1156-15-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/1156-16-0x0000000005350000-0x0000000005360000-memory.dmp

memory/1156-19-0x0000000005B30000-0x0000000005B96000-memory.dmp

memory/1156-20-0x0000000007080000-0x00000000070F6000-memory.dmp

memory/1156-21-0x0000000007100000-0x0000000007288000-memory.dmp

memory/1156-22-0x0000000007020000-0x000000000703E000-memory.dmp

memory/1156-27-0x0000000007060000-0x000000000706A000-memory.dmp

memory/1156-29-0x0000000007600000-0x0000000007722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6BBA.tmp.dat

MD5 6e98ae51f6cacb49a7830bede7ab9920
SHA1 1b7e9e375bd48cae50343e67ecc376cf5016d4ee
SHA256 192cd04b9a4d80701bb672cc3678912d1df8f6b987c2b4991d9b6bfbe8f011fd
SHA512 3e7cdda870cbde0655cc30c2f7bd3afee96fdfbe420987ae6ea2709089c0a8cbc8bb9187ef3b4ec3f6a019a9a8b465588b61029869f5934e0820b2461c4a9b2b

C:\Users\Admin\AppData\Local\Temp\tmp6BDC.tmp.dat

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

memory/1156-64-0x0000000006CD0000-0x0000000006CF2000-memory.dmp

C:\Users\Admin\AppData\Local\55c93886b9f2f6b232495f25127eab55\Admin@SMIJWJMH_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/1156-79-0x0000000008A00000-0x0000000008D54000-memory.dmp

C:\Users\Admin\AppData\Local\55c93886b9f2f6b232495f25127eab55\Admin@SMIJWJMH_en-US\System\Process.txt

MD5 858d21e9c2b2d58d5ce420a35ef26fa2
SHA1 44d7c7367b1300076c7499452ca2930e67bace5b
SHA256 a3bd8d66cbad3964b03e1f4f664b1e665984ef2d3b9f69c1d57190191cf03cc8
SHA512 77e458f9380fc1ebd43dee0abcc045f99480e7ae46932d4654cc661c78d1ae83ca0cb38afb8cbacaf9e5acf3a205cbbdcbb65d2129a90eb42bb507fa0ebd7409

C:\Users\Admin\AppData\Local\55c93886b9f2f6b232495f25127eab55\Admin@SMIJWJMH_en-US\System\Process.txt

MD5 858d21e9c2b2d58d5ce420a35ef26fa2
SHA1 44d7c7367b1300076c7499452ca2930e67bace5b
SHA256 a3bd8d66cbad3964b03e1f4f664b1e665984ef2d3b9f69c1d57190191cf03cc8
SHA512 77e458f9380fc1ebd43dee0abcc045f99480e7ae46932d4654cc661c78d1ae83ca0cb38afb8cbacaf9e5acf3a205cbbdcbb65d2129a90eb42bb507fa0ebd7409

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 d323a4dc560e546b81bc8cb0c92b3b88
SHA1 d1f635b2406aefe247f56239fd6a0ab02710149d
SHA256 403bbe142a59f699a89903789ea0c9fa0e606bf67bde3b750c631323ce70e6c6
SHA512 8e85ac339c215c07532f41d45c7f1d475675f69928ddc25bc3e7af49487732936b171e71355fe4888de325a7cff3283aa8025749f202983a6d7ea2832c40afd7

C:\Users\Admin\AppData\Local\55c93886b9f2f6b232495f25127eab55\Admin@SMIJWJMH_en-US\System\Process.txt

MD5 858d21e9c2b2d58d5ce420a35ef26fa2
SHA1 44d7c7367b1300076c7499452ca2930e67bace5b
SHA256 a3bd8d66cbad3964b03e1f4f664b1e665984ef2d3b9f69c1d57190191cf03cc8
SHA512 77e458f9380fc1ebd43dee0abcc045f99480e7ae46932d4654cc661c78d1ae83ca0cb38afb8cbacaf9e5acf3a205cbbdcbb65d2129a90eb42bb507fa0ebd7409

memory/1156-190-0x0000000005350000-0x0000000005360000-memory.dmp

memory/1156-198-0x0000000007860000-0x00000000078AC000-memory.dmp

memory/1156-205-0x00000000746F0000-0x0000000074EA0000-memory.dmp