Analysis Overview
SHA256
8a1d5ca68426a265761fd1f2b421407d404527c9c9d07a9b37c0f8891e91acd7
Threat Level: Known bad
The file 113a8172009135084f3683e7ece90bf0_NEAS was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
AsyncRat
StormKitty
Executes dropped EXE
Deletes itself
Drops startup file
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Program crash
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of SetWindowsHookEx
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-07 08:44
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-07 08:44
Reported
2024-05-07 08:46
Platform
win10v2004-20240419-en
Max time kernel
136s
Max time network
104s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\113a8172009135084f3683e7ece90bf0_NEAS.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\339833\Stopping.pif | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BlazeTrack.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BlazeTrack.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\339833\Stopping.pif | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\339833\Stopping.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\339833\Stopping.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\339833\Stopping.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\339833\Stopping.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\339833\Stopping.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\339833\Stopping.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\113a8172009135084f3683e7ece90bf0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\113a8172009135084f3683e7ece90bf0_NEAS.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Fisting Fisting.cmd & Fisting.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 339833
C:\Windows\SysWOW64\findstr.exe
findstr /V "BoughtFridgeAdjustmentsReprints" Inherited
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Sony + Exposure + Computation 339833\h
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\339833\Stopping.pif
339833\Stopping.pif 339833\h
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Planners" /tr "wscript //B 'C:\Users\Admin\AppData\Local\FireGuard Dynamics Ltd\BlazeTrack.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BlazeTrack.url" & echo URL="C:\Users\Admin\AppData\Local\FireGuard Dynamics Ltd\BlazeTrack.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BlazeTrack.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Planners" /tr "wscript //B 'C:\Users\Admin\AppData\Local\FireGuard Dynamics Ltd\BlazeTrack.js'" /sc minute /mo 5 /F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5068 -ip 5068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 2948
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1848 -ip 1848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 2848
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| GB | 23.73.138.10:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | TqyMedynBBLz.TqyMedynBBLz | udp |
| US | 8.8.8.8:53 | 10.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| JP | 85.208.110.83:4449 | tcp | |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.110.208.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| JP | 85.208.110.83:4449 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fisting
| MD5 | d8e90b24eb6fdffc3df6a74e4e38544d |
| SHA1 | 5cf656a011817189cecdaab3e44e7da000f3355e |
| SHA256 | fd8817de96c482af436b45c379bc52a7fca6a0621d5719627a126d03b217f52c |
| SHA512 | 33805bcb4d23e82f2cc90636ca4d1b1a07a74548eac08d5825f9a275d92b053f7d729b69ca340987dd2e7a282f0620f48923e9adf287b551505a0bf80c75286f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Inherited
| MD5 | 849b1e8d989341051d8ae7cd6f72c5b2 |
| SHA1 | 12ca8002b9f6be2059d414b7a7745dba30bea4dc |
| SHA256 | 7976c050fd6dc412172741f6dcc7ce7bd52bf5064bb5a6af9a78540eee635772 |
| SHA512 | cd009d9d75bd7078979f42c242010c2ba9574fc414ae8b3cc10725f7cf51fee8bc784d76f91824990fd51ed73137d0c8f2b0aac56dfe15f323beb813216821d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Warrior
| MD5 | f8c0d69cd3897b63232859d6b5009fec |
| SHA1 | 55346b93c68f91a2f1b603323509ff20cea4ffa9 |
| SHA256 | 89a8c779abe4bf929ae7746ac9e90b698a58f179fa925bbb9fe33dbc1a50ecd6 |
| SHA512 | 4728d1a9c4a2b9d91fec67f825a72a017943ebd279ccec3645db8eeeb4a3d04007132625845ea3a7f16efbc7a6961b70d5b5e227076b918144e144f699f4ee7d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Senators
| MD5 | f4bccaf19494d52305d521f419ab3938 |
| SHA1 | 022d8aac78e21c4f7b1440c9eee25c7cb1f493ca |
| SHA256 | d13d43692b6173b95c4390d3a1d980d66ac38fa1f9849bca41e5e393d894854a |
| SHA512 | a08fe5da833d75ae99c30b891499d311954eba3bea681ab199b095ec1f846e51e9fac320354604d0ea07090849d417d164fdd1e174b07eb7cd14be9e8d548e2e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Minds
| MD5 | bc8effc59b9bddb86d85047ca966988a |
| SHA1 | f68613e1e23575211c871eff9d7946b189345b87 |
| SHA256 | 3dfb2abe5fda3df38322ff87b11c6d691d4518591a7bdcfcaf67f254d7f213ab |
| SHA512 | aa4297c725b42dae9627c0ea07ee04cbf5c92c2e0262145d7d0d14946c238d2bed23e7ff2f8055f6669b9e95821cdccb03cbd3a7d699a55473e2825c5a9c7ebe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Stakeholders
| MD5 | 4966194ad8296a52d701f42b740c1f25 |
| SHA1 | fe00d37581272979616b862fc77c189b3bcb2c01 |
| SHA256 | 0529f5cf9f2b08e7142d5c0e075861f5db4f11cfc4e50cb2f73403f4747711c0 |
| SHA512 | a2cd3420119a0da80c14f0518b79981c129b3a82abba8ce9b2509ddb214ff4db8be6598152376b2f1594692e5f019915b7d428cd1e9528860412fd08befaa47e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ghana
| MD5 | ec2b1cd3ea12569b1a90cf99d27ca60b |
| SHA1 | a0f0449188a940b1cceba70e92bbd438a785f7ec |
| SHA256 | 66bfdd1518286840d67188fce8ba7be13aad259ccfed4b4e8f8958bd430bc796 |
| SHA512 | ec8ab770a7cbbce4d6986e290a59440cdeada572a65abd8fec4a4018b5c6c9fdd4eeb793d93a645c17c098570dd410774ac9d8470334bbaba7ad7125eaecdc34 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mistakes
| MD5 | b625f8e5b5bcfab8bfd4aa71c228f747 |
| SHA1 | 8ce79654ef55bbda80b028d8f60d9cedd4c9a117 |
| SHA256 | 4d5ce0addc4ff8bea284f52a3f11ef2450f15c8d391eb0a65b2d902226f82e32 |
| SHA512 | 3a1a74205babaf341a9235f71516989e6aca2d6e9508b2358c71f4dc35f8de1e81705d55f7cd915e76bdffcc3cf1eda3e0c9e1ad3121633d7d7ca142c927ca54 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sparc
| MD5 | 0f5b0e9ad6cfb5e0a913e0a7c12abe57 |
| SHA1 | 9e793cfc0565c7467b59294608ea8d1308d6c899 |
| SHA256 | 9ef68ca5882d4c436015bf1df787770d4f3f7305bd3b97294ae09d1312f6c9f9 |
| SHA512 | 7174e31dd3d038079835898747a439d324262fcdead7862fd7fcb6e0a7a4d2b29e5ddced5bd6e22365a420445ca5d467fd4773589d6926260f47f736bb7868cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Somalia
| MD5 | 97d3d432b10a822c2960a9ae97e0ed53 |
| SHA1 | 609d182660eb1bb84d70203c8a23f3a63c32a8fe |
| SHA256 | f59df2e2ddd05424cf91af3a35e527e6662bc0fe00612fdaca2a89fccc8c4d71 |
| SHA512 | 85b4c3be11b9d6ebe020e96aab229c3980de85d76bdc92180666c602de6e4d8bad3f7c09ab01f5fe75bd081a5d459113bee3fab27e78f30f3c0b172ea33e9494 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Retro
| MD5 | 6e57da8fb52db44e3d24c644fe9e6dd9 |
| SHA1 | 80bb126cb0dc6d54d4860baa12d4d154e5243c77 |
| SHA256 | 7de34a3fe0463842f6c3a4bc0a2e96e20dfb344fddc1f367e00ca8972b4d0dc5 |
| SHA512 | 92c1e13f3b606ff2061a3a5192a7ad52bd87a88c3f4e3acaa7d34417b28e0aee1f4550cb85297f34854f6bd4f51d03ae1003d4e26d380005987893977fd1b56d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Knows
| MD5 | d9cf305144efe6319dfcc2307d1ff594 |
| SHA1 | c6249a23d4a46629bf3765a80799be258045764f |
| SHA256 | 56db54d340fdda78113ec630a1e5ee83079b379c43db515efe9638e53f9a50d8 |
| SHA512 | 154dcfc89e53273fa33365a66c78cf196e1de4a273333c7bbc8bfe20931c59ed0aff588c1699c95179d36504eb212f02f77dbe59a8f844786bfb0a07ff94eb66 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Either
| MD5 | 03250f004b96859e3158fae4f6bc0b81 |
| SHA1 | be0a9e5974f1cfc25ec3cf9bb6875522f792f1e8 |
| SHA256 | 5c73eed5563c6171003ebf296f3fd49c917ae225b5803f32423be24cc34e3a3b |
| SHA512 | 9405e61b43ef9ef585673d2000216d17fc90d55fffe31b9b907fb98c197b77fd7825d17a0dab7326705ebd59d977f46e01767cf5879069769e81dda92fcb025b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sides
| MD5 | 4ff3fa065fe8157720cb59263f34c567 |
| SHA1 | 1af2259e245fec769398bf13636f3bb62b0618bc |
| SHA256 | 0233147905e47dbb1122e1bdb5d396b8be4214e6e3597e7dd8b06b4168affaa9 |
| SHA512 | 0614d2d82b990e3cad16c107d44a0f44ab39b392cbeeb68623f5c01ce2fcba760350e7b697fd9a039d1306383dcd4bc6a2ae816112adbe9789c4466c73eb1892 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Classified
| MD5 | 07debd9aa8e8f93fb444ade604c5aac0 |
| SHA1 | 17f3cc110ac0c05baaa1d7c73a8d4281fb875793 |
| SHA256 | 5014b55c0ccf57fd035c7a59447d01abd50d9edc850d40b60d3c05bf61f35cf3 |
| SHA512 | f12ba0fdec4c19968ceebfdcce8fa18ed216c7a3b7f73321437d0ca49ace1b419654164eeb929c6bfdb2f74d621ec9224708530569504a983927b1fc19aa0847 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Suburban
| MD5 | 4aa4fcf681c797e6f3f386b73f058478 |
| SHA1 | 91c626a6061180ea4204c9d98b2f501096a9966a |
| SHA256 | d814ad6fe816a22e3368f6c4d20a0e49a9c9a8fde7f782f0c6d481f20fd66d34 |
| SHA512 | fc99b5293696b779cffb83ad424ec136fb3573229ddbc3f0be8934cf091125c3ca6d1b52d3d1c9b3364ed1e4571672b87ac64910ad588139c8d5431f1a1fc009 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Saves
| MD5 | e398341fcccb6180175a67de57e2fe4c |
| SHA1 | 2a69f148208a7a423b3043289b1a858af2fb34a2 |
| SHA256 | 5ae360d7e3c72daa0ec9ff9766d95f504239b627c597b7e2468cf69882bcf315 |
| SHA512 | ed91bad4a94a9931a88a052662eca4e38ca5084a3baacd1a369fa36f386f5b64380571d9751936b1c9f73433899a974c33b208372b60fb84ba8f38aad3c688c8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Regulatory
| MD5 | 6c73f58bda7e5da7e10037764809ac7b |
| SHA1 | dd8fe1e9bbb6925b7adccf38fdab14dd2b5e433f |
| SHA256 | c87ff93edce5898fe1193e7f281f980d5fa876f41260ff19ed07317bd29347b5 |
| SHA512 | 2cdedb740600109ced659e32c9270d0b17427ab993f792627b16f84ecfb310ad506aa2ee263f4cc11901c66f0eaf8f3cc76dcfe7b5893895d06b0d4865720020 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tall
| MD5 | 829cf2b2bfc78d05f95154c2b023601f |
| SHA1 | 03c4ea60a18dfeb93b4d69e8f23fff2d0ad4472f |
| SHA256 | 50de5c2dd580dcbcdd11c7d45e6b877b4bcb056e291f9e3ed690736a4d12eefe |
| SHA512 | 1144977513b6dbbe10589ec057e058d6302348b14e998a7e1ce425e5016995f9f48809d328bf22bb2788f4c7d9e79cfe062a85a4f110eaf597279cb6f0b7dfd8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Got
| MD5 | b1b686c13028845dfb364778ba3e930b |
| SHA1 | 9d4879242f72828137bf05b7438a451a130fc94d |
| SHA256 | a0467302c53713f49c5c81cf69c5eea0cf315b6a50527843fce16af1bcb29848 |
| SHA512 | fd7cd3eb649057f9182b6634600830e43cd08b0320c2544e9002077fd80ad445c0ef1f47a41a0b35b80cba0f5039867653bf63ce34d6c9c83f2232835c033b64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Won
| MD5 | b64f8ca3edcd8026c33cd68e2c18d2c3 |
| SHA1 | 73146b6ea976402ee53780eccb143435a50ea4d9 |
| SHA256 | 00a9785a5853900083a60d715d58e64ae5608bd30b04acd276673a698c8df645 |
| SHA512 | fc6763a24010ffa16354a0726b71d6a0b48f3e59ad28d31ef590ab3e42df7aa6692d74e72535279900704a44f28f16085b994f4b79b2ba0961ecb53795022d39 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jamaica
| MD5 | a0c97f3faff398c9e8dcbd37a17f2cc3 |
| SHA1 | 7122de6070a99973bb6a35de772b8a73ebe2fb5b |
| SHA256 | a7150d3d3e8f76dcf1cf7abdc3bdd8c46a2b60cfde83e5fbd1d0d9f4a5c488ae |
| SHA512 | 14f2e2b019d4f3c949a79fe05e34007eb5ce1dc69d733ead687aa76e8baded9927bdec569fe14f496ac0ad217a1f8752697846d09378a3b5857107978855ffb5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Laboratory
| MD5 | eddba146fce3fa7a450aa55f4ca2369c |
| SHA1 | 280293581330c9821a8d3dd5ebb4163d30ea51a2 |
| SHA256 | 04f2a37926fc12bba0d9e7bd03924725bff1b9439d218c3cbef7cf6304377ac1 |
| SHA512 | b8233dd24c1bde1608a0ee408ab0b2542f0ad391b922785771f3f23a0741a8eef7d72b7407ab78009bfba60ea0689024f1d162158c06d2ea4994b1db80cb0833 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Talk
| MD5 | af2e4fa5ea7f52df461f5ac0b0cef67c |
| SHA1 | 56be72c397b3769acf1d302e5372c97d5c077171 |
| SHA256 | be02bd95868ebf4f354b807ea571670150e032aa8257ab220fe8e4af083a694e |
| SHA512 | 15388c184b2795f0fc003d364c97086c8ff0fec2b2379746523808fba471ccf54b13bef628054b2b4254903e81df114649f8461e8d9306116216360d12d49e02 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hamilton
| MD5 | 15c593aca9fc5cf7d47e4c3cd48e26ec |
| SHA1 | 49c97258bbb89f2e52ce3ca7352e8b7593da5cf3 |
| SHA256 | f4b16652e429bfba5652c58dd82c791294f16fc397a2f33ce85030ff0a3b9ac5 |
| SHA512 | 0461146aeb7bd97e6be14da727eadedffb3c5ffb83bf6c67f1db8bb6795e4e62acb140457f761b79bd00e4bf3a1e84a9e871977db256ac17c854e14e8b424993 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Diverse
| MD5 | 6efceb1fcf815f61da5e0cc3790d11ee |
| SHA1 | deaa0d31ef059029157bd87e020070643d986b87 |
| SHA256 | 84087586b5d87f582bfc8d45008f86842b0c26c9e3c37170b31d1e8820103b9b |
| SHA512 | 35fe73b662c60ffcd123053dea66254dcc88cdd58d2f8307ba00c6845b92c04904348dae4f3d04ea48f2a3320bb624ff032547726852b8da53df89fb860f805d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sony
| MD5 | a5d54c564593543f1a8ac7baa0bac0c3 |
| SHA1 | 8661fa81bd99c060ac4f6df7500d9449d51a044c |
| SHA256 | 338413aed073738ca30c2ab2cb0e18d32502d03df06351ec371bc76cee7e4f81 |
| SHA512 | 72e6cf722babcb9fad9d6a6454012a8c499c791251b5c8e79248471b55456d8e774f7c7bc000d6cea80c801dae6f88bccbaa8fdf895ef1235ab9b07486513194 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Exposure
| MD5 | b579450bd81da856e5ecb108f164c06d |
| SHA1 | 229064c5f100e4c58b54a8255399e3439789871d |
| SHA256 | 831c1e4db59a3760d75133d3205c0acc96731c09e7cfba0c08fa97e199b34881 |
| SHA512 | c37bc26d2ce4cf62fbd4eda99533552f43b678f6e0cdc518980d459403188ead69fe476b33ed352f547b6e991cff34b89db19bd096c0d1cf57f8b90adf6007ec |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Computation
| MD5 | f0aea06a2a81a8ac610dec001d428613 |
| SHA1 | 0bf888626085e9b25fe6e023ecfc6e3fa7bb6e66 |
| SHA256 | c77d2d2b18034f85df5a2a838655eaee63103346f8e03f88e19dc24da3cfcede |
| SHA512 | 6638f737d4b9fd2aa8fb248785938aecac18356507cffb195ccbd1246276a29165875c269fc50b997c145650b17db65ec9e4c7df62fa6cc7e93b44a198ea981c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\339833\Stopping.pif
| MD5 | 62d09f076e6e0240548c2f837536a46a |
| SHA1 | 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2 |
| SHA256 | 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49 |
| SHA512 | 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\339833\h
| MD5 | 9f22e7a04fcdea8f62572e53cfa467d7 |
| SHA1 | 82260c2108374a983867cb5313f1d78ab1ecb8d0 |
| SHA256 | 5f3e7c2790222fff933f275057345da4317f5c8ae88fd98a0c338e6273cd3e84 |
| SHA512 | 7c5544f08dbec113a2f4dcd3b400cdc3cf5035139cac3968d32887617507f0c7b3b360e78eb19265008f7cbb3ffda9e93ad82b63ddf5ce310186ce03824492f7 |
memory/5068-71-0x0000000000810000-0x0000000000828000-memory.dmp
memory/5068-72-0x00000000054A0000-0x0000000005A44000-memory.dmp
memory/5068-74-0x0000000005290000-0x0000000005322000-memory.dmp
memory/5068-75-0x0000000006230000-0x000000000623A000-memory.dmp
memory/5068-78-0x0000000006730000-0x00000000067CC000-memory.dmp
memory/5068-79-0x00000000067F0000-0x0000000006856000-memory.dmp
memory/5068-81-0x0000000007200000-0x0000000007276000-memory.dmp
memory/5068-82-0x0000000007280000-0x00000000073A2000-memory.dmp
memory/5068-83-0x00000000071E0000-0x00000000071FE000-memory.dmp
memory/5068-107-0x0000000007C00000-0x0000000007D34000-memory.dmp
memory/5068-108-0x00000000078A0000-0x0000000007BF4000-memory.dmp
memory/5068-109-0x0000000007520000-0x000000000756C000-memory.dmp
memory/5068-119-0x0000000007580000-0x000000000758A000-memory.dmp
memory/1848-126-0x0000000001180000-0x0000000001198000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
C:\Users\Admin\AppData\Local\Temp\tmpBD31.tmp.dat
| MD5 | 556bc0c1a1d9f1f336dc8592efdbb7cd |
| SHA1 | 857a0ff938c0434e645d105cb91d5d6bc2b8e4dc |
| SHA256 | a6a5675a55568b85e4c996b069e366e6e7c56ecf17a1d8ec8ebe6104b00a6a23 |
| SHA512 | da63e5d7150a7e93f4d501eee8c32cfda21bce7651bfcb9594fbd065d032f536e1105b37ada704de48bea0efbc3e80a81f67c2f630c894c635086eecafab54b0 |
C:\Users\Admin\AppData\Local\Temp\places.raw
| MD5 | 4c19a6b86678d57aa021804aa0596efd |
| SHA1 | c1b9f44750fe365c17078815f5f1da60defb7fde |
| SHA256 | 2428b39024e710ce4ee18216592c467c04fb20f36228cf5f7edf0899ec617308 |
| SHA512 | f071ffb53483ccdac0502634836edb38905fa14a80e9156be534d44f67d31c0037c06f3159c000cce1f78ae47edb4631888ff123b0757bc1d724997c3ae2372c |
memory/1848-153-0x0000000007DD0000-0x0000000007E1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBF0C.tmp.dat
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
memory/1848-152-0x0000000008340000-0x0000000008694000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 08:44
Reported
2024-05-07 08:47
Platform
win7-20240221-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
AsyncRat
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330093\Stopping.pif | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BlazeTrack.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BlazeTrack.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330093\Stopping.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330093\Stopping.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330093\Stopping.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330093\Stopping.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330093\Stopping.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330093\Stopping.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330093\Stopping.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\113a8172009135084f3683e7ece90bf0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\113a8172009135084f3683e7ece90bf0_NEAS.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Fisting Fisting.cmd & Fisting.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 330093
C:\Windows\SysWOW64\findstr.exe
findstr /V "BoughtFridgeAdjustmentsReprints" Inherited
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Sony + Exposure + Computation 330093\h
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330093\Stopping.pif
330093\Stopping.pif 330093\h
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Planners" /tr "wscript //B 'C:\Users\Admin\AppData\Local\FireGuard Dynamics Ltd\BlazeTrack.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BlazeTrack.url" & echo URL="C:\Users\Admin\AppData\Local\FireGuard Dynamics Ltd\BlazeTrack.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BlazeTrack.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Planners" /tr "wscript //B 'C:\Users\Admin\AppData\Local\FireGuard Dynamics Ltd\BlazeTrack.js'" /sc minute /mo 5 /F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | TqyMedynBBLz.TqyMedynBBLz | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp | |
| JP | 85.208.110.83:4449 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fisting
| MD5 | d8e90b24eb6fdffc3df6a74e4e38544d |
| SHA1 | 5cf656a011817189cecdaab3e44e7da000f3355e |
| SHA256 | fd8817de96c482af436b45c379bc52a7fca6a0621d5719627a126d03b217f52c |
| SHA512 | 33805bcb4d23e82f2cc90636ca4d1b1a07a74548eac08d5825f9a275d92b053f7d729b69ca340987dd2e7a282f0620f48923e9adf287b551505a0bf80c75286f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Inherited
| MD5 | 849b1e8d989341051d8ae7cd6f72c5b2 |
| SHA1 | 12ca8002b9f6be2059d414b7a7745dba30bea4dc |
| SHA256 | 7976c050fd6dc412172741f6dcc7ce7bd52bf5064bb5a6af9a78540eee635772 |
| SHA512 | cd009d9d75bd7078979f42c242010c2ba9574fc414ae8b3cc10725f7cf51fee8bc784d76f91824990fd51ed73137d0c8f2b0aac56dfe15f323beb813216821d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Warrior
| MD5 | f8c0d69cd3897b63232859d6b5009fec |
| SHA1 | 55346b93c68f91a2f1b603323509ff20cea4ffa9 |
| SHA256 | 89a8c779abe4bf929ae7746ac9e90b698a58f179fa925bbb9fe33dbc1a50ecd6 |
| SHA512 | 4728d1a9c4a2b9d91fec67f825a72a017943ebd279ccec3645db8eeeb4a3d04007132625845ea3a7f16efbc7a6961b70d5b5e227076b918144e144f699f4ee7d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Senators
| MD5 | f4bccaf19494d52305d521f419ab3938 |
| SHA1 | 022d8aac78e21c4f7b1440c9eee25c7cb1f493ca |
| SHA256 | d13d43692b6173b95c4390d3a1d980d66ac38fa1f9849bca41e5e393d894854a |
| SHA512 | a08fe5da833d75ae99c30b891499d311954eba3bea681ab199b095ec1f846e51e9fac320354604d0ea07090849d417d164fdd1e174b07eb7cd14be9e8d548e2e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Somalia
| MD5 | 97d3d432b10a822c2960a9ae97e0ed53 |
| SHA1 | 609d182660eb1bb84d70203c8a23f3a63c32a8fe |
| SHA256 | f59df2e2ddd05424cf91af3a35e527e6662bc0fe00612fdaca2a89fccc8c4d71 |
| SHA512 | 85b4c3be11b9d6ebe020e96aab229c3980de85d76bdc92180666c602de6e4d8bad3f7c09ab01f5fe75bd081a5d459113bee3fab27e78f30f3c0b172ea33e9494 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Stakeholders
| MD5 | 4966194ad8296a52d701f42b740c1f25 |
| SHA1 | fe00d37581272979616b862fc77c189b3bcb2c01 |
| SHA256 | 0529f5cf9f2b08e7142d5c0e075861f5db4f11cfc4e50cb2f73403f4747711c0 |
| SHA512 | a2cd3420119a0da80c14f0518b79981c129b3a82abba8ce9b2509ddb214ff4db8be6598152376b2f1594692e5f019915b7d428cd1e9528860412fd08befaa47e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Minds
| MD5 | bc8effc59b9bddb86d85047ca966988a |
| SHA1 | f68613e1e23575211c871eff9d7946b189345b87 |
| SHA256 | 3dfb2abe5fda3df38322ff87b11c6d691d4518591a7bdcfcaf67f254d7f213ab |
| SHA512 | aa4297c725b42dae9627c0ea07ee04cbf5c92c2e0262145d7d0d14946c238d2bed23e7ff2f8055f6669b9e95821cdccb03cbd3a7d699a55473e2825c5a9c7ebe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sparc
| MD5 | 0f5b0e9ad6cfb5e0a913e0a7c12abe57 |
| SHA1 | 9e793cfc0565c7467b59294608ea8d1308d6c899 |
| SHA256 | 9ef68ca5882d4c436015bf1df787770d4f3f7305bd3b97294ae09d1312f6c9f9 |
| SHA512 | 7174e31dd3d038079835898747a439d324262fcdead7862fd7fcb6e0a7a4d2b29e5ddced5bd6e22365a420445ca5d467fd4773589d6926260f47f736bb7868cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ghana
| MD5 | ec2b1cd3ea12569b1a90cf99d27ca60b |
| SHA1 | a0f0449188a940b1cceba70e92bbd438a785f7ec |
| SHA256 | 66bfdd1518286840d67188fce8ba7be13aad259ccfed4b4e8f8958bd430bc796 |
| SHA512 | ec8ab770a7cbbce4d6986e290a59440cdeada572a65abd8fec4a4018b5c6c9fdd4eeb793d93a645c17c098570dd410774ac9d8470334bbaba7ad7125eaecdc34 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mistakes
| MD5 | b625f8e5b5bcfab8bfd4aa71c228f747 |
| SHA1 | 8ce79654ef55bbda80b028d8f60d9cedd4c9a117 |
| SHA256 | 4d5ce0addc4ff8bea284f52a3f11ef2450f15c8d391eb0a65b2d902226f82e32 |
| SHA512 | 3a1a74205babaf341a9235f71516989e6aca2d6e9508b2358c71f4dc35f8de1e81705d55f7cd915e76bdffcc3cf1eda3e0c9e1ad3121633d7d7ca142c927ca54 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Retro
| MD5 | 6e57da8fb52db44e3d24c644fe9e6dd9 |
| SHA1 | 80bb126cb0dc6d54d4860baa12d4d154e5243c77 |
| SHA256 | 7de34a3fe0463842f6c3a4bc0a2e96e20dfb344fddc1f367e00ca8972b4d0dc5 |
| SHA512 | 92c1e13f3b606ff2061a3a5192a7ad52bd87a88c3f4e3acaa7d34417b28e0aee1f4550cb85297f34854f6bd4f51d03ae1003d4e26d380005987893977fd1b56d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Knows
| MD5 | d9cf305144efe6319dfcc2307d1ff594 |
| SHA1 | c6249a23d4a46629bf3765a80799be258045764f |
| SHA256 | 56db54d340fdda78113ec630a1e5ee83079b379c43db515efe9638e53f9a50d8 |
| SHA512 | 154dcfc89e53273fa33365a66c78cf196e1de4a273333c7bbc8bfe20931c59ed0aff588c1699c95179d36504eb212f02f77dbe59a8f844786bfb0a07ff94eb66 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Regulatory
| MD5 | 6c73f58bda7e5da7e10037764809ac7b |
| SHA1 | dd8fe1e9bbb6925b7adccf38fdab14dd2b5e433f |
| SHA256 | c87ff93edce5898fe1193e7f281f980d5fa876f41260ff19ed07317bd29347b5 |
| SHA512 | 2cdedb740600109ced659e32c9270d0b17427ab993f792627b16f84ecfb310ad506aa2ee263f4cc11901c66f0eaf8f3cc76dcfe7b5893895d06b0d4865720020 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Saves
| MD5 | e398341fcccb6180175a67de57e2fe4c |
| SHA1 | 2a69f148208a7a423b3043289b1a858af2fb34a2 |
| SHA256 | 5ae360d7e3c72daa0ec9ff9766d95f504239b627c597b7e2468cf69882bcf315 |
| SHA512 | ed91bad4a94a9931a88a052662eca4e38ca5084a3baacd1a369fa36f386f5b64380571d9751936b1c9f73433899a974c33b208372b60fb84ba8f38aad3c688c8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Either
| MD5 | 03250f004b96859e3158fae4f6bc0b81 |
| SHA1 | be0a9e5974f1cfc25ec3cf9bb6875522f792f1e8 |
| SHA256 | 5c73eed5563c6171003ebf296f3fd49c917ae225b5803f32423be24cc34e3a3b |
| SHA512 | 9405e61b43ef9ef585673d2000216d17fc90d55fffe31b9b907fb98c197b77fd7825d17a0dab7326705ebd59d977f46e01767cf5879069769e81dda92fcb025b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Suburban
| MD5 | 4aa4fcf681c797e6f3f386b73f058478 |
| SHA1 | 91c626a6061180ea4204c9d98b2f501096a9966a |
| SHA256 | d814ad6fe816a22e3368f6c4d20a0e49a9c9a8fde7f782f0c6d481f20fd66d34 |
| SHA512 | fc99b5293696b779cffb83ad424ec136fb3573229ddbc3f0be8934cf091125c3ca6d1b52d3d1c9b3364ed1e4571672b87ac64910ad588139c8d5431f1a1fc009 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Classified
| MD5 | 07debd9aa8e8f93fb444ade604c5aac0 |
| SHA1 | 17f3cc110ac0c05baaa1d7c73a8d4281fb875793 |
| SHA256 | 5014b55c0ccf57fd035c7a59447d01abd50d9edc850d40b60d3c05bf61f35cf3 |
| SHA512 | f12ba0fdec4c19968ceebfdcce8fa18ed216c7a3b7f73321437d0ca49ace1b419654164eeb929c6bfdb2f74d621ec9224708530569504a983927b1fc19aa0847 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sides
| MD5 | 4ff3fa065fe8157720cb59263f34c567 |
| SHA1 | 1af2259e245fec769398bf13636f3bb62b0618bc |
| SHA256 | 0233147905e47dbb1122e1bdb5d396b8be4214e6e3597e7dd8b06b4168affaa9 |
| SHA512 | 0614d2d82b990e3cad16c107d44a0f44ab39b392cbeeb68623f5c01ce2fcba760350e7b697fd9a039d1306383dcd4bc6a2ae816112adbe9789c4466c73eb1892 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Tall
| MD5 | 829cf2b2bfc78d05f95154c2b023601f |
| SHA1 | 03c4ea60a18dfeb93b4d69e8f23fff2d0ad4472f |
| SHA256 | 50de5c2dd580dcbcdd11c7d45e6b877b4bcb056e291f9e3ed690736a4d12eefe |
| SHA512 | 1144977513b6dbbe10589ec057e058d6302348b14e998a7e1ce425e5016995f9f48809d328bf22bb2788f4c7d9e79cfe062a85a4f110eaf597279cb6f0b7dfd8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Laboratory
| MD5 | eddba146fce3fa7a450aa55f4ca2369c |
| SHA1 | 280293581330c9821a8d3dd5ebb4163d30ea51a2 |
| SHA256 | 04f2a37926fc12bba0d9e7bd03924725bff1b9439d218c3cbef7cf6304377ac1 |
| SHA512 | b8233dd24c1bde1608a0ee408ab0b2542f0ad391b922785771f3f23a0741a8eef7d72b7407ab78009bfba60ea0689024f1d162158c06d2ea4994b1db80cb0833 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Jamaica
| MD5 | a0c97f3faff398c9e8dcbd37a17f2cc3 |
| SHA1 | 7122de6070a99973bb6a35de772b8a73ebe2fb5b |
| SHA256 | a7150d3d3e8f76dcf1cf7abdc3bdd8c46a2b60cfde83e5fbd1d0d9f4a5c488ae |
| SHA512 | 14f2e2b019d4f3c949a79fe05e34007eb5ce1dc69d733ead687aa76e8baded9927bdec569fe14f496ac0ad217a1f8752697846d09378a3b5857107978855ffb5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Got
| MD5 | b1b686c13028845dfb364778ba3e930b |
| SHA1 | 9d4879242f72828137bf05b7438a451a130fc94d |
| SHA256 | a0467302c53713f49c5c81cf69c5eea0cf315b6a50527843fce16af1bcb29848 |
| SHA512 | fd7cd3eb649057f9182b6634600830e43cd08b0320c2544e9002077fd80ad445c0ef1f47a41a0b35b80cba0f5039867653bf63ce34d6c9c83f2232835c033b64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Won
| MD5 | b64f8ca3edcd8026c33cd68e2c18d2c3 |
| SHA1 | 73146b6ea976402ee53780eccb143435a50ea4d9 |
| SHA256 | 00a9785a5853900083a60d715d58e64ae5608bd30b04acd276673a698c8df645 |
| SHA512 | fc6763a24010ffa16354a0726b71d6a0b48f3e59ad28d31ef590ab3e42df7aa6692d74e72535279900704a44f28f16085b994f4b79b2ba0961ecb53795022d39 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Talk
| MD5 | af2e4fa5ea7f52df461f5ac0b0cef67c |
| SHA1 | 56be72c397b3769acf1d302e5372c97d5c077171 |
| SHA256 | be02bd95868ebf4f354b807ea571670150e032aa8257ab220fe8e4af083a694e |
| SHA512 | 15388c184b2795f0fc003d364c97086c8ff0fec2b2379746523808fba471ccf54b13bef628054b2b4254903e81df114649f8461e8d9306116216360d12d49e02 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Hamilton
| MD5 | 15c593aca9fc5cf7d47e4c3cd48e26ec |
| SHA1 | 49c97258bbb89f2e52ce3ca7352e8b7593da5cf3 |
| SHA256 | f4b16652e429bfba5652c58dd82c791294f16fc397a2f33ce85030ff0a3b9ac5 |
| SHA512 | 0461146aeb7bd97e6be14da727eadedffb3c5ffb83bf6c67f1db8bb6795e4e62acb140457f761b79bd00e4bf3a1e84a9e871977db256ac17c854e14e8b424993 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Diverse
| MD5 | 6efceb1fcf815f61da5e0cc3790d11ee |
| SHA1 | deaa0d31ef059029157bd87e020070643d986b87 |
| SHA256 | 84087586b5d87f582bfc8d45008f86842b0c26c9e3c37170b31d1e8820103b9b |
| SHA512 | 35fe73b662c60ffcd123053dea66254dcc88cdd58d2f8307ba00c6845b92c04904348dae4f3d04ea48f2a3320bb624ff032547726852b8da53df89fb860f805d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sony
| MD5 | a5d54c564593543f1a8ac7baa0bac0c3 |
| SHA1 | 8661fa81bd99c060ac4f6df7500d9449d51a044c |
| SHA256 | 338413aed073738ca30c2ab2cb0e18d32502d03df06351ec371bc76cee7e4f81 |
| SHA512 | 72e6cf722babcb9fad9d6a6454012a8c499c791251b5c8e79248471b55456d8e774f7c7bc000d6cea80c801dae6f88bccbaa8fdf895ef1235ab9b07486513194 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Exposure
| MD5 | b579450bd81da856e5ecb108f164c06d |
| SHA1 | 229064c5f100e4c58b54a8255399e3439789871d |
| SHA256 | 831c1e4db59a3760d75133d3205c0acc96731c09e7cfba0c08fa97e199b34881 |
| SHA512 | c37bc26d2ce4cf62fbd4eda99533552f43b678f6e0cdc518980d459403188ead69fe476b33ed352f547b6e991cff34b89db19bd096c0d1cf57f8b90adf6007ec |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Computation
| MD5 | f0aea06a2a81a8ac610dec001d428613 |
| SHA1 | 0bf888626085e9b25fe6e023ecfc6e3fa7bb6e66 |
| SHA256 | c77d2d2b18034f85df5a2a838655eaee63103346f8e03f88e19dc24da3cfcede |
| SHA512 | 6638f737d4b9fd2aa8fb248785938aecac18356507cffb195ccbd1246276a29165875c269fc50b997c145650b17db65ec9e4c7df62fa6cc7e93b44a198ea981c |
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330093\Stopping.pif
| MD5 | 62d09f076e6e0240548c2f837536a46a |
| SHA1 | 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2 |
| SHA256 | 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49 |
| SHA512 | 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330093\h
| MD5 | 9f22e7a04fcdea8f62572e53cfa467d7 |
| SHA1 | 82260c2108374a983867cb5313f1d78ab1ecb8d0 |
| SHA256 | 5f3e7c2790222fff933f275057345da4317f5c8ae88fd98a0c338e6273cd3e84 |
| SHA512 | 7c5544f08dbec113a2f4dcd3b400cdc3cf5035139cac3968d32887617507f0c7b3b360e78eb19265008f7cbb3ffda9e93ad82b63ddf5ce310186ce03824492f7 |
memory/2328-73-0x00000000001C0000-0x00000000001D8000-memory.dmp
memory/2328-74-0x00000000001C0000-0x00000000001D8000-memory.dmp
memory/2328-75-0x00000000001C0000-0x00000000001D8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar5690.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |