Analysis Overview
SHA256
bfc572da40fc3dcbee2ff5590ad5f630becf69e18df37b44140bd4f214facf56
Threat Level: Known bad
The file 3644f9a06d97f903a5ceebdd7f2f4500.exe was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
StormKitty
AsyncRat
Async RAT payload
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Drops startup file
Looks up geolocation information via web service
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Checks processor information in registry
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-28 06:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 06:52
Reported
2024-06-28 06:54
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DC6.tmp.svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Sun.exe.lnk | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\relog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DC6.tmp.svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1932.tmp.svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe" | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe" | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe" | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Sun = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Service_Sun.exe" | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3644f9a06d97f903a5ceebdd7f2f4500.exe" | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1616 set thread context of 3512 | N/A | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | C:\Windows\system32\relog.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f4,0x7ffd3b3c2e98,0x7ffd3b3c2ea4,0x7ffd3b3c2eb0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2276 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3220 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3480 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5312 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5324 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe
"C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe"
C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
C:\Users\Admin\AppData\Local\Temp\DC6.tmp.svchost.exe
"C:\Users\Admin\AppData\Local\Temp\DC6.tmp.svchost.exe"
C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe
"C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe"
C:\Users\Admin\AppData\Local\Temp\1932.tmp.svchost.exe
"C:\Users\Admin\AppData\Local\Temp\1932.tmp.svchost.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3468 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4D7F.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4700 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | lsrael.today | udp |
| US | 104.21.63.227:443 | lsrael.today | tcp |
| US | 8.8.8.8:53 | 227.63.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 104.21.63.227:80 | lsrael.today | tcp |
| US | 8.8.8.8:53 | lsrael.today | udp |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| US | 8.8.8.8:53 | 92.172.67.172.in-addr.arpa | udp |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| SY | 94.232.249.111:8808 | tcp | |
| US | 8.8.8.8:53 | 111.249.232.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 241.185.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 48.192.11.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe
| MD5 | 3644f9a06d97f903a5ceebdd7f2f4500 |
| SHA1 | 53ed26fba664d03b0e2423d6da7235c983fe2a1e |
| SHA256 | bfc572da40fc3dcbee2ff5590ad5f630becf69e18df37b44140bd4f214facf56 |
| SHA512 | f0dced1046018e83a33acc0e06f43bdd300ae4defff974c033a1f16cfd78c366cfd11e480554c197d844442fcfd51494ea39abb7c9c22c686d1b3a6cf5c30d1a |
C:\Users\Admin\AppData\Local\Temp\TH6E1.tmp
| MD5 | 933bc84c355410977507fce60295cc73 |
| SHA1 | 1b395d4888d1dc60127e7c65fe7da857981bda1e |
| SHA256 | f097a2cdef650eddd702047ae31625bafedd92099b92c1cfc61be73e636ed152 |
| SHA512 | d7f3ae4b5729b392e610fd084b7b19408ec52215106e8dd58cf7d019db8cd398bd4a368adf526e72f8cd6e8584ac0fe392d979e719df79bb17b5570542cb4740 |
memory/3300-48-0x00000000031C0000-0x0000000003202000-memory.dmp
memory/3300-53-0x00000000033C0000-0x0000000003411000-memory.dmp
memory/3300-52-0x0000000003170000-0x000000000318A000-memory.dmp
memory/3300-50-0x00000000033C0000-0x0000000003411000-memory.dmp
memory/3300-46-0x0000000002FD0000-0x0000000002FE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DC6.tmp.svchost.exe
| MD5 | 6d13d147a209e3be044035f0c03b7bde |
| SHA1 | 1eb5fb487ea7742ff1766ca5bf1b7191cfcf6283 |
| SHA256 | 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548 |
| SHA512 | a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9 |
memory/3300-62-0x00007FFD5D3C0000-0x00007FFD5D3C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe
| MD5 | da34ea26ddfedfd7966e8aedf0bb93e6 |
| SHA1 | ba30bde364d564268d175090364158cb66c165a9 |
| SHA256 | 817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20 |
| SHA512 | fbf634fd22ec37a65540c6ad1968b53666308d4d31a151c26b1444e242de40c95c0f48f96010bc72e5e0e9a10982b4f56590e96aded12015de915d7d86af8dff |
memory/2364-88-0x0000000000190000-0x00000000001C2000-memory.dmp
memory/3812-89-0x0000000000AD0000-0x0000000000AE2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | e1acba25e664db4f5b29a4f53d733a42 |
| SHA1 | 3372c405dc21ae7e061e947176041b3414b52818 |
| SHA256 | 40b699f4d64261b9802580be4e723fed50af6e081a6453e2eabbf9c58eb29012 |
| SHA512 | a9cbb29a0f4543b350951df9bdd3f06bbf9df4871692f87b4e84862e85d5b72305efba0ee886914de6b05075910f2906d75f78ade715240bc70e970a1e31f206 |
memory/3812-96-0x00000000057D0000-0x000000000586C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4D7F.tmp.bat
| MD5 | 2bea490af3f2d791c9d9d23d3ebfced7 |
| SHA1 | b048fdb35104437d740c5dd84ebe8b8cbf0a454b |
| SHA256 | dd82e69f788b551c42ee824d773b724950d86511ff3e8a7e1709a926f08e57d8 |
| SHA512 | e3b1b271210b1a4582900aad715d4a14736199b59ac40f4666c4d9f62014d7dce9dec853a19d7ed2303b82fbb2b35799f42d1610e761e177847132abf181f1c7 |
memory/2364-102-0x0000000004C70000-0x0000000004CD6000-memory.dmp
memory/3300-107-0x00000000033C0000-0x0000000003411000-memory.dmp
memory/3300-106-0x0000000003170000-0x000000000318A000-memory.dmp
C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\System\Process.txt
| MD5 | f016dfc231f6a5632ee40227595e58a1 |
| SHA1 | 1177fc2d3fd86e97f625bb700074936e9b39367c |
| SHA256 | ad7217e70adbbee374d0a8a44528b4e68706a03daf09f06e2172009620728409 |
| SHA512 | 6a8a209e987de6bef6267e75a4f6ecaecd739ff897c7b0b54ebaa90bcec851efb5e3342c5f5406e6b8e2f56debb163409b4d78233c89aae5eb3ed48acbe0a5e3 |
memory/2364-259-0x0000000005AC0000-0x0000000005B52000-memory.dmp
memory/2364-260-0x0000000006110000-0x00000000066B4000-memory.dmp
memory/2364-266-0x0000000005080000-0x000000000508A000-memory.dmp
C:\Users\Admin\AppData\Local\ae2b3b02108afcee055284706dff9e4a\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/2364-272-0x0000000005C40000-0x0000000005C52000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 06:52
Reported
2024-06-28 06:54
Platform
win7-20240508-en
Max time kernel
147s
Max time network
145s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Identities.exe.lnk | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Macromedia.exe.lnk | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Media Center Programs.exe.lnk | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\relog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\22DC.tmp.svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23C8.tmp.svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Macromedia = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Service_Macromedia.exe" | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Media Center Programs = "C:\\Users\\Admin\\AppData\\Roaming\\Media Center Programs\\Service_Media Center Programs.exe" | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe" | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe" | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3644f9a06d97f903a5ceebdd7f2f4500.exe" | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe" | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Identities = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\Service_Identities.exe" | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\128d0b0392e416c5cd469fa27e8d4653\Admin@UHRQKJCP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\128d0b0392e416c5cd469fa27e8d4653\Admin@UHRQKJCP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\128d0b0392e416c5cd469fa27e8d4653\Admin@UHRQKJCP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\128d0b0392e416c5cd469fa27e8d4653\Admin@UHRQKJCP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\128d0b0392e416c5cd469fa27e8d4653\Admin@UHRQKJCP_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\128d0b0392e416c5cd469fa27e8d4653\Admin@UHRQKJCP_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2216 set thread context of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe | C:\Windows\system32\relog.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe
"C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe"
C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
C:\Users\Admin\AppData\Local\Temp\22DC.tmp.svchost.exe
"C:\Users\Admin\AppData\Local\Temp\22DC.tmp.svchost.exe"
C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe
"C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe"
C:\Users\Admin\AppData\Local\Temp\23C8.tmp.svchost.exe
"C:\Users\Admin\AppData\Local\Temp\23C8.tmp.svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp342A.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lsrael.today | udp |
| US | 104.21.63.227:443 | lsrael.today | tcp |
| US | 104.21.63.227:80 | lsrael.today | tcp |
| US | 8.8.8.8:53 | lsrael.today | udp |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| SY | 94.232.249.111:8808 | tcp | |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 172.67.172.92:80 | lsrael.today | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe
| MD5 | 3644f9a06d97f903a5ceebdd7f2f4500 |
| SHA1 | 53ed26fba664d03b0e2423d6da7235c983fe2a1e |
| SHA256 | bfc572da40fc3dcbee2ff5590ad5f630becf69e18df37b44140bd4f214facf56 |
| SHA512 | f0dced1046018e83a33acc0e06f43bdd300ae4defff974c033a1f16cfd78c366cfd11e480554c197d844442fcfd51494ea39abb7c9c22c686d1b3a6cf5c30d1a |
\Users\Admin\AppData\Local\Temp\TH1F94.tmp
| MD5 | 933bc84c355410977507fce60295cc73 |
| SHA1 | 1b395d4888d1dc60127e7c65fe7da857981bda1e |
| SHA256 | f097a2cdef650eddd702047ae31625bafedd92099b92c1cfc61be73e636ed152 |
| SHA512 | d7f3ae4b5729b392e610fd084b7b19408ec52215106e8dd58cf7d019db8cd398bd4a368adf526e72f8cd6e8584ac0fe392d979e719df79bb17b5570542cb4740 |
memory/2680-61-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp
memory/1200-72-0x0000000002A40000-0x0000000002A56000-memory.dmp
memory/1200-71-0x0000000002A40000-0x0000000002A56000-memory.dmp
memory/1200-76-0x0000000002D60000-0x0000000002D7A000-memory.dmp
memory/1200-75-0x0000000002DC0000-0x0000000002E11000-memory.dmp
memory/1200-69-0x00000000024E0000-0x0000000002522000-memory.dmp
memory/1200-68-0x00000000024E0000-0x0000000002522000-memory.dmp
memory/1200-77-0x0000000002DC0000-0x0000000002E11000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk
| MD5 | 5b0f800b4cd137a576327ba41ad8ce41 |
| SHA1 | 21be32cb89fce391330a451811850456c8afb34d |
| SHA256 | 949318fbf13d2ac3d6884f178e5bd25d891c6071cc7fd69dbc9045bf294a9e72 |
| SHA512 | cf559c65b7e97bd52b04af38f4a4903fae2c77c58bd7ce0ec832ff8e7eb65379b872485475c507a6ba80ab766abcb4a5a3a54e9a0cce7fa5c7f5c6009e13832e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk
| MD5 | 9cd73872889252234910131a0e77e8e6 |
| SHA1 | 8ac54b01e3abd4f60f8ea7f01feb2fcdddf43a6a |
| SHA256 | ca9943ee5d5ed715f936f1d1c3bec22ac18dd1417b98a585bbe0ba2bd6626a43 |
| SHA512 | 52d99c5fa8a08df875d2bfa164c4253d2f9d12d629baa4c16d93a940b6e95e0c38c70e50b033ae9ffc0c735ee56ec3839fd132981de6545ada7fcd212ab5fecb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Identities.exe.lnk
| MD5 | 864c979cf24d021b40a080efd2a7d354 |
| SHA1 | 078000eff7a1125854ac4fde70359b77c2d9da6a |
| SHA256 | 7cb7b89d12d51efa6d32134ba1b73dc0d4db61cc9a9c40f712acf73f0ead1dab |
| SHA512 | 2bcc8f95c36aa2c968bfd4d5f7f9caf1cac9e029a18d6dc31db8062c11346f5dc0f776ac01dffc7afe3c2a9f32a39f4fa8914bd738b39268dc9f8f85872a55bb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Macromedia.exe.lnk
| MD5 | d42b02c8c0bac745df729913af425e69 |
| SHA1 | 1ab3fe9df3156cef02c7eadd387c0c9d35a0183f |
| SHA256 | f08e8e8beb4340f5b4572cceaa7cbb68895f42fe12047ee3f04d99a3cefc75ed |
| SHA512 | 01f29e9fda371654ee56cf1737d5952c835b5a2fe61b614785afabdbb7668292cf8b4ddcedaff2476577998150d685f28ddc298562bd5e0a395ecdddbf12bcad |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Media Center Programs.exe.lnk
| MD5 | 2c272841a6b8e5a31a09aaa581ee4059 |
| SHA1 | d87b66881323eeca8d325984982795c0de9eae33 |
| SHA256 | 51fd31127497996dcfa0be56240f5ed7789390b59517d91634d99b05979f9557 |
| SHA512 | a9fc6df91e883e9345d0da2084f9c7b4bcc1d2bdbb9f38987ce9bdb24bef95bb3d6cd2244c815f6d2561e9049add1fd99072b85d22a6371d642d23dce1c78bbc |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk
| MD5 | 64837a79620c1408dccedb9a6872b77c |
| SHA1 | a8ac9ee73b0bef41a30eced76a86fc16d5d9b415 |
| SHA256 | 9f696867e04d8e36469909b7ab9beda19ea83b73c147d56ee6b89b0a87a5211d |
| SHA512 | 13d81d8cf8b37d85d13b654d028ff04adbf9fbf9b188bc6dc2fcb79f6524c5b96d791f0ab75f379730bf5d312591042238dfab370dc9b57d531be72a13e7bc7d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk
| MD5 | e281dd02da707ae372485940dd65ad89 |
| SHA1 | c4fc2c9d3014f8dc8c80e3c35e334839c9d5911e |
| SHA256 | 53b74d3547769e5695eca2398926c325badc7e59f5fba05d838f2154136808fd |
| SHA512 | 3da365a463467b355d570ddddc28bd69a177e9b9e66103b8bd655f88ca5063ebfc9a79cabcce4d91badf042c94a68659fb8d7ca1009df94d399cdbb8a66b0c27 |
C:\Users\Admin\AppData\Local\Temp\22DC.tmp.svchost.exe
| MD5 | 6d13d147a209e3be044035f0c03b7bde |
| SHA1 | 1eb5fb487ea7742ff1766ca5bf1b7191cfcf6283 |
| SHA256 | 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548 |
| SHA512 | a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9 |
memory/1200-90-0x00000000775B0000-0x00000000775B1000-memory.dmp
memory/2396-92-0x00000000749EE000-0x00000000749EF000-memory.dmp
memory/2396-99-0x0000000001130000-0x0000000001142000-memory.dmp
memory/2060-100-0x0000000000870000-0x00000000008A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2379.tmp.Serverssss.exe
| MD5 | da34ea26ddfedfd7966e8aedf0bb93e6 |
| SHA1 | ba30bde364d564268d175090364158cb66c165a9 |
| SHA256 | 817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20 |
| SHA512 | fbf634fd22ec37a65540c6ad1968b53666308d4d31a151c26b1444e242de40c95c0f48f96010bc72e5e0e9a10982b4f56590e96aded12015de915d7d86af8dff |
memory/1224-107-0x0000000000970000-0x0000000000982000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp342A.tmp.bat
| MD5 | 7995660c84b39705a9bfa6219f336d6c |
| SHA1 | 4834f8f9654eb5b0f385db542fddb8e96cf54457 |
| SHA256 | d498073a76e27a41e1cd2960e11e4d91bd2a1c3cbc7cd803bbe28bc3ff255ad0 |
| SHA512 | 293194472b1d4e47df2fe002a02ac3b1cfacc4960a3e56f44e7e98c7f0fb08cfce557cdff36c541ee6af75ce716e5e47cbd5e4b0e83565c1bdae9b1650a8f7c8 |
C:\Users\Admin\AppData\Local\128d0b0392e416c5cd469fa27e8d4653\Admin@UHRQKJCP_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/784-176-0x0000000000C00000-0x0000000000C12000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a2ef3b71d625ae8910a8c52e08c9977 |
| SHA1 | 2790e5f8b36d52ff8dbed052cef7d87bc0537cfe |
| SHA256 | 55ae24b5ad7e8d07d0acc806b64b7a49441a6e1e219bd0e8bcaa0c9b3700c422 |
| SHA512 | 076b2f4eb106fba0c63315b9c2b03c930d7a4a501db9cbc0d35c4dc897002f049944dae09e016214dd34d9858fee2739753e41a06aa66afe42734f6ffc617974 |
C:\Users\Admin\AppData\Local\Temp\Cab4DE2.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\5ea1f8d352b61a84ae2baa81d2cef9ca\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/1200-219-0x0000000002DC0000-0x0000000002E11000-memory.dmp