Analysis Overview
SHA256
60042cce19f189d6d3666b05cb7a30d2751735d393e22aa08756fb685b5ab1e4
Threat Level: Known bad
The file BIN V3.exe was found to be: Known bad.
Malicious Activity Summary
StormKitty
StormKitty payload
Stormkitty family
AsyncRat
Async RAT payload
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Looks up geolocation information via web service
Unsigned PE
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-09 11:30
Signatures
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 11:30
Reported
2024-07-09 11:31
Platform
win10-20240404-en
Max time kernel
32s
Max time network
35s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BIN V3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_BIN V3.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\BIN V3.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\._cache_BIN V3.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\._cache_BIN V3.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\._cache_BIN V3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\._cache_BIN V3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\._cache_BIN V3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\._cache_BIN V3.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\._cache_BIN V3.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\._cache_BIN V3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\._cache_BIN V3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance | C:\Users\Admin\AppData\Local\Temp\BIN V3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_BIN V3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BIN V3.exe
"C:\Users\Admin\AppData\Local\Temp\BIN V3.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_BIN V3.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_BIN V3.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| US | 8.8.8.8:53 | 252.215.42.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 8.8.8.8:53 | 241.184.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.44.21.104.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp |
Files
memory/4188-0-0x0000000000580000-0x0000000000581000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_BIN V3.exe
| MD5 | b3236d441e05eb20155c6b4f797bbd8d |
| SHA1 | 0d71d54ae067e1bbc32d6d40bc977487b176e3ed |
| SHA256 | c04681955398625568aecfef915a3bff39ea106edf11ea0138618ea4e1a027dc |
| SHA512 | 9b66d19bb13e0aa614d6e8442b79225e7ae097d75a005dd23414cd2d8b4f89c63f21f5cc993bc263f15ea319b8827cadffce653e43a5a6262cd87ea7d1b8fd6b |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | 9491db7ca184d0b17ccfd376ecb6ef50 |
| SHA1 | e75b6e62ce0b1236dc9be42422d4cc5dc9949e5a |
| SHA256 | 60042cce19f189d6d3666b05cb7a30d2751735d393e22aa08756fb685b5ab1e4 |
| SHA512 | b2429ea5c490123b6c15321ffcc6ad0245724c05a90705bb3583188f81b0bf546e0735e34b373c6e887b795c092a4b6fc5f3fd3db11d9bac460038ffa2b874fd |
memory/1472-112-0x0000000071A3E000-0x0000000071A3F000-memory.dmp
memory/1472-117-0x0000000000170000-0x00000000001A2000-memory.dmp
memory/4188-116-0x0000000000400000-0x00000000004EE000-memory.dmp
memory/1472-173-0x0000000004AC0000-0x0000000004B26000-memory.dmp
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini
| MD5 | 87a524a2f34307c674dba10708585a5e |
| SHA1 | e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201 |
| SHA256 | d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9 |
| SHA512 | 7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38 |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini
| MD5 | 3a37312509712d4e12d27240137ff377 |
| SHA1 | 30ced927e23b584725cf16351394175a6d2a9577 |
| SHA256 | b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3 |
| SHA512 | dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05 |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini
| MD5 | ecf88f261853fe08d58e2e903220da14 |
| SHA1 | f72807a9e081906654ae196605e681d5938a2e6c |
| SHA256 | cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844 |
| SHA512 | 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini
| MD5 | d48fce44e0f298e5db52fd5894502727 |
| SHA1 | fce1e65756138a3ca4eaaf8f7642867205b44897 |
| SHA256 | 231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8 |
| SHA512 | a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini
| MD5 | 29eae335b77f438e05594d86a6ca22ff |
| SHA1 | d62ccc830c249de6b6532381b4c16a5f17f95d89 |
| SHA256 | 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4 |
| SHA512 | 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17 |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini
| MD5 | 9e36cc3537ee9ee1e3b10fa4e761045b |
| SHA1 | 7726f55012e1e26cc762c9982e7c6c54ca7bb303 |
| SHA256 | 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026 |
| SHA512 | 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790 |
C:\Users\Admin\AppData\Local\Temp\tmp7DE1.tmp.dat
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
C:\Users\Admin\AppData\Local\Temp\tmp7DEE.tmp.dat
| MD5 | dc89cfe2a3b5ff9acb683c7237226713 |
| SHA1 | 24f19bc7d79fa0c5af945b28616225866ee51dd5 |
| SHA256 | ceddefa824f1dd6e7e669d4470e18e557c22fe73359f5b31edf4537473b96148 |
| SHA512 | ee5d047e1124351997ecfaa5c8bd3e9ce8a974ac281675cda4d0a55e40f3883336a2378b9ebf3d1f227d01b386c26473c32e39bcab836da2b392bf778a6cf5c2 |
C:\Users\Admin\AppData\Local\Temp\tmp7E2F.tmp.dat
| MD5 | c0cc6303d99cb3c65433fd0db9eaef1e |
| SHA1 | 5998c5e611bda8caa10746ff241cdb4cc01fabc4 |
| SHA256 | f673d384f05cc963445330252ca74b8268226501a3a118fc7bd13b8dfdeaf2bc |
| SHA512 | ade00bcf538cfa77851c1129b4982c51ac66f9712fa9814b906df2a9f16ff7dcc80e662667df9d652daa110b383a63822d40fd3aefea01aa9565928c1fe2cff5 |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Directories\OneDrive.txt
| MD5 | 966247eb3ee749e21597d73c4176bd52 |
| SHA1 | 1e9e63c2872cef8f015d4b888eb9f81b00a35c79 |
| SHA256 | 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e |
| SHA512 | bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Directories\Downloads.txt
| MD5 | 81482a4cdbf32dda7b9a8d20c40e57fa |
| SHA1 | 0b151679b8ea83f5396c3f487c33210d583cd67f |
| SHA256 | 0a7776eb83c4bb9b4137b19684221a60f17909a6e519cba78db752ff6942efd4 |
| SHA512 | e6c5e85012604b96ab15dd89e9de3c68896cfbb8f14fbf81ee7d4d54d1faa7bc7a7cd211e34791c22780687b362ef82773188bc93cb7f1a9c94c0fd51ffe6ddf |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Directories\Startup.txt
| MD5 | 68c93da4981d591704cea7b71cebfb97 |
| SHA1 | fd0f8d97463cd33892cc828b4ad04e03fc014fa6 |
| SHA256 | 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483 |
| SHA512 | 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402 |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Directories\Videos.txt
| MD5 | 1fddbf1169b6c75898b86e7e24bc7c1f |
| SHA1 | d2091060cb5191ff70eb99c0088c182e80c20f8c |
| SHA256 | a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733 |
| SHA512 | 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Directories\Pictures.txt
| MD5 | 30f925e309835a8507fa96fece24c050 |
| SHA1 | 75009052bf84c17f5068809c8b675d8526ce670a |
| SHA256 | e8ec9a938d30c88401e01edfafa9a44c73e228a0c1603486cc00f0114ebf7921 |
| SHA512 | f599df36d33cda3972767c0e27020b58d016f80e900a774e5b92843cc97a3e846516a9b9a70835d911242294272059b743379c7175be11aac233b89291710a87 |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Directories\Documents.txt
| MD5 | c12f9bed05cbbb3a16b107e2b411e5d9 |
| SHA1 | b02e838b7dd626f1939298f1955d0c215e72543d |
| SHA256 | bfc7f8e0909f495a27b7af5256be7bce040cd9d64f01ca45f4df3ba1642efbe6 |
| SHA512 | 49a1a7b3e7ea2726a4f19de5ab0c9c380f1edc193c7396e2a0e8ad930a7a7bed642bf1e6ad06e0d524a83ed3274e49683c349156126c697997b46f8a1f7a432f |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Directories\Desktop.txt
| MD5 | ca7ec1baebc6572a1f6bd5cb7dc50bdb |
| SHA1 | 3081913fa33f3b64c5d1f2b9a515f1431f57c724 |
| SHA256 | c3d716f02726bc48cc3314b0adf8be14cfd21dfe94f813d343c5a305749c48f0 |
| SHA512 | 056ad48afebffda0cd81b124df196feb4a73289f2af45e9de5c01ef1316303144d8a9d22fadefb92c203837d76c2396143e517296373d1eb9be649f51394bfdc |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Directories\Temp.txt
| MD5 | d9be350ea1fb5c58a644cc37079193cf |
| SHA1 | a05fadc0fecfc0cf8d84c5169991b9e4bcc5f5ae |
| SHA256 | d5e3ff007ef8577a09791f7d5d04f6521071bd2b048e7f1d2cf021292bc96e75 |
| SHA512 | 158062340f6b7d58b6a5166c4014bd30c0475b8607fce012ffb456aef95425ee151b2d39087998c17bcaffdc0af48112982b485e5fc26d4db430eaae075add47 |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\System\Process.txt
| MD5 | e1eccab5dc482014e8a47ebe7481b5f6 |
| SHA1 | 99dfd072488e70f1f4ff8a8c0481f3f0b6264e9d |
| SHA256 | b7a8b3edf269e6d3064e42ca6502927c36351c8c0e83a9933bbfbf011c925edd |
| SHA512 | b339c6318f0475fef5586c82b6146e0a27c71acad1badf3c04adebad6c5518f011f31cbc54d46fcc5187213f05e2c70eee0cca9817bef5487953763eacde56f8 |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\System\Process.txt
| MD5 | 64c5b0b55ef37674cb9dd640a4a21ca4 |
| SHA1 | afc348912b9a1c63974e6ef4abf814836f3d4c5c |
| SHA256 | f4c8a7e51f3be61b328efd31cba51e196d693ab22d88cb4c778d586e5165cf4c |
| SHA512 | 3e32c0f0ea84e86505af6e0b7a38ad36c728c4f53d75d0eb943a03f5e0c98f23d7e8b3693f604f382a81a70570be73de80b74e3c302f127233dbb5a081b64ede |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\System\Process.txt
| MD5 | fbe7446b987a4decf86a538067715c51 |
| SHA1 | 470fb2af396fc077749f5101aceedcf09ab5aaac |
| SHA256 | c027ad50827596f08319dba0e51cb33ef76d267de95ef89d5795ade9565df6df |
| SHA512 | 95f32c2f0beddae63d0c9a847aa829ca44ca32a5a1826033f39ae4819274eb616e5c0459b337427121bea25c9d4abd590311d0387860b124b16b817fa8a4a76a |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\System\Process.txt
| MD5 | 08a175ad5aab4bc69e90f245d5e77a2a |
| SHA1 | ebc0f329745e5998c2ca16b21d5f11c2c66b8c07 |
| SHA256 | 082eaf19a13125e53bc38de8cc7c1ef6a1134e69dc93ad074c1f4087460a4973 |
| SHA512 | e7e2c78f2efb77c17bdad545f076e2bc5c8745818af4aa92d918f8b8980fb718b20835847905f8f641dadea42be20357b783333ce990bf072930fbc82fcaa55e |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\System\Process.txt
| MD5 | 4348b4fb689287ad677cad03d0a974fb |
| SHA1 | 298d44adae4ddff4cc64ab0cd52a12490b8c8fdd |
| SHA256 | 25d5fec84f8188b071297e268121941f0a99500eff12b51db010468d5e2480a0 |
| SHA512 | b99f61e203399c02f13424db13fcb424ce015b7d45890f18cedbf0d04da839279a296fd2f6a7aa88806b201c3f2f5d876b3c52d632321e72f4e1ae857a892cf9 |
memory/1472-282-0x00000000051C0000-0x0000000005252000-memory.dmp
memory/1472-284-0x0000000005760000-0x0000000005C5E000-memory.dmp
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\System\Process.txt
| MD5 | 53bbc70f35e1b21913ab735ffe03a5d3 |
| SHA1 | 182c4af584f39c989d2a7535143a9454b5600fd3 |
| SHA256 | 037f67b3a162b7bf3ce3429fe99173dcdfd9fd8a9d7ab5d75ee8bb899c1f370f |
| SHA512 | 0c228830078997e40a85c41c83321e0a7fcbbadd66c328c209d518527fab58d18bdfd22a4a8bfc4b96e6543e3e7627b1e1a158b4f86ca2bc0df101bcf823d44b |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\System\WorldWind.jpg
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3336-359-0x0000000000400000-0x00000000004EE000-memory.dmp
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\System\ScanningNetworks.txt
| MD5 | 9f11565dd11db9fb676140e888f22313 |
| SHA1 | 35ae1ce345de569db59b52ed9aee5d83fea37635 |
| SHA256 | bd652c6bfa16a30133dd622f065e53aee489e9066e81ecb883af1c3892af727d |
| SHA512 | d70edbd84693afbdb90424b9f72a4bd4a51bd27c719506e17a58b171c251046aea23ca7228ccd8b98b47cd8eb1227bc2d90a07c4f50e8b080f9a41d253935ace |
memory/1472-364-0x00000000052D0000-0x00000000052DA000-memory.dmp
C:\Users\Admin\AppData\Local\fbdeda46abe21a1f3f934d98cd6ecbf4\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/1472-370-0x00000000052E0000-0x00000000052F2000-memory.dmp
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\System\Process.txt
| MD5 | 75c731e0cf9c154453de0d91e2d34329 |
| SHA1 | 76c6a8cc64572a67f2aba9668b0049248f557e0a |
| SHA256 | a2d9734e45648977871474c62045c55da365386c8464e5b9f96a6d334c0ccd54 |
| SHA512 | 4ea6be4dc49060e503c2c6efe0878f9da02005fb087dea7a8e8fbd0032b30daab92a3243fc9e9d2d8cb968f2cb7a1662263bc4aaf8b8758fc9a79bf38cb6c31a |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\System\ProductKey.txt
| MD5 | 71eb5479298c7afc6d126fa04d2a9bde |
| SHA1 | a9b3d5505cf9f84bb6c2be2acece53cb40075113 |
| SHA256 | f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3 |
| SHA512 | 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\System\WorldWind.jpg
| MD5 | a25de5507386762b74532c0013a55068 |
| SHA1 | b840d3bfecef998e7e53d9d6daa448608c09a467 |
| SHA256 | a8cbe987a1cdbc0377382b8c906d44d05e62bfe02ed94996ecf022b468f1186e |
| SHA512 | 79e0bf69f9c37be5f11c7d2a0cd6c87b6e3dfed270d5974b6cbdb2f0f7019bffdc9e9f8375bb96b08b9f4835cce3ab48966d2e602baf3be6969d8be08b6ee3e8 |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\21b2bf22f9964489f2fb1ac812edb6fe\Admin@UOKLYWYH_en-US.zip
| MD5 | 8b5c4d317323e24e140e22f9ae86baab |
| SHA1 | bb3c37a2ffe350a535113e5d3c1cb689fd481915 |
| SHA256 | dbf2a1ce8ea741f3ae45f60ce40f2bb94092cd7a4b6a17bd518083ce425decc4 |
| SHA512 | 5014ce45b82f7b6ec34edcb3392e784f8dda71949d0cc01e2a866be5708684f54d1297b5092db6683e91b1fe5f868216259b84026b3dd6891488c638c94abcb3 |
memory/1472-409-0x0000000071A3E000-0x0000000071A3F000-memory.dmp