Malware Analysis Report

2024-10-18 21:31

Sample ID 240811-wznd4a1fqk
Target 4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52
SHA256 4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52
Tags
stormkitty discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52

Threat Level: Known bad

The file 4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52 was found to be: Known bad.

Malicious Activity Summary

stormkitty discovery stealer

StormKitty

Suspicious use of NtCreateUserProcessOtherParentProcess

StormKitty payload

Executes dropped EXE

Checks computer location settings

Enumerates processes with tasklist

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 18:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 18:21

Reported

2024-08-11 18:24

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

127s

Command Line

C:\Windows\Explorer.EXE

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2112 created 3476 N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif C:\Windows\Explorer.EXE

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 712 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe C:\Windows\SysWOW64\cmd.exe
PID 712 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe C:\Windows\SysWOW64\cmd.exe
PID 712 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1248 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1248 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1248 wrote to memory of 3848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1248 wrote to memory of 3848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1248 wrote to memory of 3848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1248 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1248 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1248 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1248 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1248 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1248 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1248 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1248 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1248 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1248 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif
PID 1248 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif
PID 1248 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif
PID 1248 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1248 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1248 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2112 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe
PID 2112 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe
PID 2112 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe
PID 2112 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe
PID 2112 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe

"C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Generating Generating.cmd && Generating.cmd && exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 349418

C:\Windows\SysWOW64\findstr.exe

findstr /V "WorkoutTranslatePropertyManager" Savage

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Error + ..\Top + ..\Trains + ..\Arrivals + ..\Ok + ..\Declare + ..\Trustee + ..\Authorized + ..\Real + ..\Follows n

C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif

Jonathan.pif n

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 18.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 RSPiHcuZwCBTa.RSPiHcuZwCBTa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FI 65.108.46.186:1337 tcp
US 8.8.8.8:53 186.46.108.65.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Generating

MD5 2fba118aa4e49a942e5047b6753eb8c6
SHA1 a4e251441a81cb56b71884b4e2cbff4912ad0b75
SHA256 c404a7e24563ad8112e1366ab3816f13d994b84cca66ca4ac004d8c836aef84d
SHA512 4412e7ca19780f9d1c970d11be7ffb77cb4525717d1465fe7712b203221b9830b9131d78ec9b85b478bc4400f5cced641f03d505dfed4e0843616932e281c200

C:\Users\Admin\AppData\Local\Temp\Savage

MD5 9e714120340fe1ee3338928be0c55d9b
SHA1 5a2c58c33d5f3111d25416b3e64cf6c6cef88f38
SHA256 802f09110fc3b9a8a0903f8723a80c2b3bcf36f2ca5bf29a76f2b9bf4f2ed7f1
SHA512 ea2c718ac1104f1d8f18be6130e780aaaa3d1112219ed2ebd9cb035ae38070f49f9455cd33589f5c31bc8c1d184a4bb997070879d5808263a1b12355606044a0

C:\Users\Admin\AppData\Local\Temp\Resorts

MD5 66168ac43906ee81db71a613b4124ffe
SHA1 6d470e88eb2d34265e7e2a14b8687c055c4eb602
SHA256 80282cb7b875b7465fc4bfd797adc4cb7ba59addbc84e0ee8c0a1af2f17ea814
SHA512 7b54805e313de0a141c3a9e64fd46f7378d64fa8d3914688b3a4f0cd4b52bb2fb3837cd12d81f670d9e308344de9d97e6942ffe0a41438aa7d4b58494dcbbd24

C:\Users\Admin\AppData\Local\Temp\Error

MD5 6acae397533e2504c8dcc22dbcc5ee1b
SHA1 a02c00e37d829ad3ea6974097aa8c66c987701a0
SHA256 cd7f8c9ec8f9116ce23b14cdf371c780aed709c14ec341aa9a97040ac48c90f3
SHA512 b7664ae523061b3adf805cf34948d4f8253656a21716d7f64fa5410b66ac49c94a30a1a41be26e7439288cd1af493c9e32ec1217e7cdf4922051d4ad8682c6f0

C:\Users\Admin\AppData\Local\Temp\Top

MD5 cb39a85b5401d9bd5f6735150229f5f4
SHA1 be66caf7dcf5dbce6732d583f050509be5512f9b
SHA256 ff6480b420095b8b2a9bd090d0c193cf6c206c5766aec01dbc36653f19dc244c
SHA512 1e7e79f146cd329971a350e9b524068b9fd7bfd97053018f9ee4792277673dc35b867d18731cbd3c0462f0f224a181ddfcc17762bcfdf1f158130d16fb4ce781

C:\Users\Admin\AppData\Local\Temp\Trains

MD5 1767f4c13631e8bb9e3a3f260a3063b0
SHA1 d5db66c99ecad70420163f69bf167677e4b8fdfc
SHA256 e6bea29fb4e262cf4b2a9df8e6ea015e37e6363a6c44a3e00472824c7d442299
SHA512 c90bf304859a174d6a8c58c56b47263e21b45807a4eb8ea0df4efc3da470adaa8e57d839ba798c922f2af8b6f2948d89aae96587ccf722c7ec40fd5d1ad488ec

C:\Users\Admin\AppData\Local\Temp\Arrivals

MD5 ceb30d7fd337eab0a7e453320f049c45
SHA1 58feb1a1b8a4ac4698c5fe72ced2172d0584d340
SHA256 968f001e3d93c7f3481831cff2924705bf8ead261bf976fa662d3a6e30b187b7
SHA512 10f550340410f68993b2e70cf36b9ee90dd6acff15ea9ac7f9cd1f012712f0a2e81bc7b7ef359d0bb5d8fd77d8eca4ec7517c0c657dd254c6ed60a18e7b4e647

C:\Users\Admin\AppData\Local\Temp\Ok

MD5 de7c228bec1a2349469fac7ff35b6426
SHA1 45c9437428a204a108c6b19b23590123b18de3f6
SHA256 f17ef9d2c6c25f46a4bbdd4a50c025c3ee95aa6b72403d16b34b6a75da191c09
SHA512 16597e12652295740f93fdaa371fb51b8dc426d02b506655f9b94c23c8776192c8e2fce58f9ccc731690259dda2c52539ba961e1468c3aee52f468c983d74ddd

C:\Users\Admin\AppData\Local\Temp\Declare

MD5 e7dfae04a017b361a93c39cef0fd06d8
SHA1 02b70beb9ba9d4e20b430dcbf53752e8d8d72b9e
SHA256 b4a0ff42ac349a2d05eb48b74045a46fc37b7cea378d294b58c21720467c9c5d
SHA512 a42185c7ad43dbf02f82c1ca8e5c2bf94c929a5e7a2f4240cd044bcff7c6bd471e6ed33182b95636b130335fa5c399f4ea6e25e7771882df0988363a974714b1

C:\Users\Admin\AppData\Local\Temp\Trustee

MD5 a874970ff59977efaf4f49a452589034
SHA1 25aad1717e0da502ea94e9c74322f138e4e0e494
SHA256 5e9d0155a1be633b54b6cc49033642f7cd37d63bda9b4c34ee8eb51546f2911d
SHA512 c4ed114392327dae0eae00cd64d6e371d0abfeb925e21a2e3327e5c95bb4c4326016580cb9a7c6f55947be73da2312bb0594dc6786099fe8a5ac8286d4bbc57d

C:\Users\Admin\AppData\Local\Temp\Real

MD5 18584252a54fb18f4edaf293ae302dc2
SHA1 c32ec72e6d3524bd428612164d056847aa99408f
SHA256 3df93840384ebd06e02812e5dc5b4638a00488a5a7f8c34c473b0833f8043252
SHA512 ddefa98f1cc82cfcd2202d7ea0f503ee162b33d279958ce2f44eb65dcd74265c07b4c9d905620468b1994deb1331a99c9e0398d91cd3cc88f0207e08b6229dd9

C:\Users\Admin\AppData\Local\Temp\Authorized

MD5 2ff2c09f6a306e6eac8ec0aacea1c5d1
SHA1 98a72538c59fbe98ff0015d0882ad0101158ba52
SHA256 ae7168959f3c72ce375eb5ab6efe4b8f4a22d00731f5df0839a0786b84baf9dd
SHA512 069a0e35073a9a859b5328661c9f36c44e4d8eee00c471aa0571e09a0e2ee4f43fc9bfefcfb6eac7fa025d3c5b87e1c02367807211c18df7e4b84353248add18

C:\Users\Admin\AppData\Local\Temp\Follows

MD5 9344a1156b1a7dcfc6a721156ddc2a51
SHA1 01bcecb00f58be09fa71ca588172d640359002a8
SHA256 20954126145914bf4fa26f9e307130781fcdfed73d1bb9f96948b287ec31ac5d
SHA512 caa616d7db53ac82e33f7eb4f97d266e6ada1be07f38c3d8b2558eeeaad9ccee9c0d8900f31fbe86569e20dc78d13a813d52b1ea6ba0c97a07190588444950b2

C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\349418\n

MD5 1eca45d434b5a362b5a53768a0a7ad5b
SHA1 cca3fd7269d0c8b22e1988e899ffd77ccac68000
SHA256 d3323cc2bb2b10e7c4a19eeb5da95cd3afc401d02a891f5e2df3ed930b8f6ab4
SHA512 cddad62eaaa6a03a33716f0c53c65ce3da85121c4856ecdf3ed66682e54b1235deb0156f8ee983dfba0ced2669bf8f869dfebdea25d11aa1adf50d7bd1a66e77

memory/2632-35-0x0000000001350000-0x00000000013E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/2632-38-0x0000000005F40000-0x00000000064E4000-memory.dmp

memory/2632-39-0x0000000005A40000-0x0000000005AA6000-memory.dmp

memory/2632-41-0x0000000006A90000-0x0000000006B22000-memory.dmp

memory/2632-42-0x0000000006A60000-0x0000000006A6A000-memory.dmp

memory/2632-43-0x0000000006CC0000-0x0000000006D5C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-11 18:21

Reported

2024-08-11 18:24

Platform

win11-20240802-en

Max time kernel

147s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1432 created 3312 N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif C:\Windows\Explorer.EXE

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 396 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 732 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 732 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 732 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 732 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 732 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 732 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 732 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 732 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 732 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 732 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 732 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 732 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 732 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 732 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 732 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif
PID 732 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif
PID 732 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif
PID 732 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 732 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 732 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1432 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe
PID 1432 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe
PID 1432 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe
PID 1432 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe
PID 1432 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe

"C:\Users\Admin\AppData\Local\Temp\4127c9695c9aa08cf6e36097b5666c0305768372a07d4e607b7c4eee01bafe52.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Generating Generating.cmd && Generating.cmd && exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 349418

C:\Windows\SysWOW64\findstr.exe

findstr /V "WorkoutTranslatePropertyManager" Savage

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Error + ..\Top + ..\Trains + ..\Arrivals + ..\Ok + ..\Declare + ..\Trustee + ..\Authorized + ..\Real + ..\Follows n

C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif

Jonathan.pif n

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 RSPiHcuZwCBTa.RSPiHcuZwCBTa udp
FI 65.108.46.186:1337 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Generating

MD5 2fba118aa4e49a942e5047b6753eb8c6
SHA1 a4e251441a81cb56b71884b4e2cbff4912ad0b75
SHA256 c404a7e24563ad8112e1366ab3816f13d994b84cca66ca4ac004d8c836aef84d
SHA512 4412e7ca19780f9d1c970d11be7ffb77cb4525717d1465fe7712b203221b9830b9131d78ec9b85b478bc4400f5cced641f03d505dfed4e0843616932e281c200

C:\Users\Admin\AppData\Local\Temp\Savage

MD5 9e714120340fe1ee3338928be0c55d9b
SHA1 5a2c58c33d5f3111d25416b3e64cf6c6cef88f38
SHA256 802f09110fc3b9a8a0903f8723a80c2b3bcf36f2ca5bf29a76f2b9bf4f2ed7f1
SHA512 ea2c718ac1104f1d8f18be6130e780aaaa3d1112219ed2ebd9cb035ae38070f49f9455cd33589f5c31bc8c1d184a4bb997070879d5808263a1b12355606044a0

C:\Users\Admin\AppData\Local\Temp\Resorts

MD5 66168ac43906ee81db71a613b4124ffe
SHA1 6d470e88eb2d34265e7e2a14b8687c055c4eb602
SHA256 80282cb7b875b7465fc4bfd797adc4cb7ba59addbc84e0ee8c0a1af2f17ea814
SHA512 7b54805e313de0a141c3a9e64fd46f7378d64fa8d3914688b3a4f0cd4b52bb2fb3837cd12d81f670d9e308344de9d97e6942ffe0a41438aa7d4b58494dcbbd24

C:\Users\Admin\AppData\Local\Temp\Error

MD5 6acae397533e2504c8dcc22dbcc5ee1b
SHA1 a02c00e37d829ad3ea6974097aa8c66c987701a0
SHA256 cd7f8c9ec8f9116ce23b14cdf371c780aed709c14ec341aa9a97040ac48c90f3
SHA512 b7664ae523061b3adf805cf34948d4f8253656a21716d7f64fa5410b66ac49c94a30a1a41be26e7439288cd1af493c9e32ec1217e7cdf4922051d4ad8682c6f0

C:\Users\Admin\AppData\Local\Temp\Arrivals

MD5 ceb30d7fd337eab0a7e453320f049c45
SHA1 58feb1a1b8a4ac4698c5fe72ced2172d0584d340
SHA256 968f001e3d93c7f3481831cff2924705bf8ead261bf976fa662d3a6e30b187b7
SHA512 10f550340410f68993b2e70cf36b9ee90dd6acff15ea9ac7f9cd1f012712f0a2e81bc7b7ef359d0bb5d8fd77d8eca4ec7517c0c657dd254c6ed60a18e7b4e647

C:\Users\Admin\AppData\Local\Temp\Top

MD5 cb39a85b5401d9bd5f6735150229f5f4
SHA1 be66caf7dcf5dbce6732d583f050509be5512f9b
SHA256 ff6480b420095b8b2a9bd090d0c193cf6c206c5766aec01dbc36653f19dc244c
SHA512 1e7e79f146cd329971a350e9b524068b9fd7bfd97053018f9ee4792277673dc35b867d18731cbd3c0462f0f224a181ddfcc17762bcfdf1f158130d16fb4ce781

C:\Users\Admin\AppData\Local\Temp\Trains

MD5 1767f4c13631e8bb9e3a3f260a3063b0
SHA1 d5db66c99ecad70420163f69bf167677e4b8fdfc
SHA256 e6bea29fb4e262cf4b2a9df8e6ea015e37e6363a6c44a3e00472824c7d442299
SHA512 c90bf304859a174d6a8c58c56b47263e21b45807a4eb8ea0df4efc3da470adaa8e57d839ba798c922f2af8b6f2948d89aae96587ccf722c7ec40fd5d1ad488ec

C:\Users\Admin\AppData\Local\Temp\Ok

MD5 de7c228bec1a2349469fac7ff35b6426
SHA1 45c9437428a204a108c6b19b23590123b18de3f6
SHA256 f17ef9d2c6c25f46a4bbdd4a50c025c3ee95aa6b72403d16b34b6a75da191c09
SHA512 16597e12652295740f93fdaa371fb51b8dc426d02b506655f9b94c23c8776192c8e2fce58f9ccc731690259dda2c52539ba961e1468c3aee52f468c983d74ddd

C:\Users\Admin\AppData\Local\Temp\Declare

MD5 e7dfae04a017b361a93c39cef0fd06d8
SHA1 02b70beb9ba9d4e20b430dcbf53752e8d8d72b9e
SHA256 b4a0ff42ac349a2d05eb48b74045a46fc37b7cea378d294b58c21720467c9c5d
SHA512 a42185c7ad43dbf02f82c1ca8e5c2bf94c929a5e7a2f4240cd044bcff7c6bd471e6ed33182b95636b130335fa5c399f4ea6e25e7771882df0988363a974714b1

C:\Users\Admin\AppData\Local\Temp\Trustee

MD5 a874970ff59977efaf4f49a452589034
SHA1 25aad1717e0da502ea94e9c74322f138e4e0e494
SHA256 5e9d0155a1be633b54b6cc49033642f7cd37d63bda9b4c34ee8eb51546f2911d
SHA512 c4ed114392327dae0eae00cd64d6e371d0abfeb925e21a2e3327e5c95bb4c4326016580cb9a7c6f55947be73da2312bb0594dc6786099fe8a5ac8286d4bbc57d

C:\Users\Admin\AppData\Local\Temp\Authorized

MD5 2ff2c09f6a306e6eac8ec0aacea1c5d1
SHA1 98a72538c59fbe98ff0015d0882ad0101158ba52
SHA256 ae7168959f3c72ce375eb5ab6efe4b8f4a22d00731f5df0839a0786b84baf9dd
SHA512 069a0e35073a9a859b5328661c9f36c44e4d8eee00c471aa0571e09a0e2ee4f43fc9bfefcfb6eac7fa025d3c5b87e1c02367807211c18df7e4b84353248add18

C:\Users\Admin\AppData\Local\Temp\Real

MD5 18584252a54fb18f4edaf293ae302dc2
SHA1 c32ec72e6d3524bd428612164d056847aa99408f
SHA256 3df93840384ebd06e02812e5dc5b4638a00488a5a7f8c34c473b0833f8043252
SHA512 ddefa98f1cc82cfcd2202d7ea0f503ee162b33d279958ce2f44eb65dcd74265c07b4c9d905620468b1994deb1331a99c9e0398d91cd3cc88f0207e08b6229dd9

C:\Users\Admin\AppData\Local\Temp\Follows

MD5 9344a1156b1a7dcfc6a721156ddc2a51
SHA1 01bcecb00f58be09fa71ca588172d640359002a8
SHA256 20954126145914bf4fa26f9e307130781fcdfed73d1bb9f96948b287ec31ac5d
SHA512 caa616d7db53ac82e33f7eb4f97d266e6ada1be07f38c3d8b2558eeeaad9ccee9c0d8900f31fbe86569e20dc78d13a813d52b1ea6ba0c97a07190588444950b2

C:\Users\Admin\AppData\Local\Temp\349418\Jonathan.pif

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\349418\n

MD5 1eca45d434b5a362b5a53768a0a7ad5b
SHA1 cca3fd7269d0c8b22e1988e899ffd77ccac68000
SHA256 d3323cc2bb2b10e7c4a19eeb5da95cd3afc401d02a891f5e2df3ed930b8f6ab4
SHA512 cddad62eaaa6a03a33716f0c53c65ce3da85121c4856ecdf3ed66682e54b1235deb0156f8ee983dfba0ced2669bf8f869dfebdea25d11aa1adf50d7bd1a66e77

memory/664-35-0x0000000000B40000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\349418\RegAsm.exe

MD5 42ab6e035df99a43dbb879c86b620b91
SHA1 c6e116569d17d8142dbb217b1f8bfa95bc148c38
SHA256 53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b
SHA512 2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

memory/664-38-0x0000000005840000-0x0000000005DE6000-memory.dmp

memory/664-39-0x0000000005190000-0x00000000051F6000-memory.dmp

memory/664-41-0x0000000006210000-0x00000000062A2000-memory.dmp

memory/664-42-0x00000000061C0000-0x00000000061CA000-memory.dmp

memory/664-43-0x0000000006480000-0x000000000651C000-memory.dmp