Malware Analysis Report

2024-10-18 21:31

Sample ID 240812-lrwemavhnq
Target CorkDork.rar
SHA256 10342e9572946deff266cab155dd43234e8882d4aaa08d4d8354f2ae7f730697
Tags
neshta stormkitty asyncrat default credential_access discovery persistence privilege_escalation rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10342e9572946deff266cab155dd43234e8882d4aaa08d4d8354f2ae7f730697

Threat Level: Known bad

The file CorkDork.rar was found to be: Known bad.

Malicious Activity Summary

neshta stormkitty asyncrat default credential_access discovery persistence privilege_escalation rat spyware stealer

Neshta

AsyncRat

Stormkitty family

StormKitty payload

Neshta family

Detect Neshta payload

StormKitty

Async RAT payload

Credentials from Password Stores: Credentials from Web Browsers

Modifies system executable filetype association

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Drops desktop.ini file(s)

Looks up geolocation information via web service

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

System Network Configuration Discovery: Wi-Fi Discovery

Browser Information Discovery

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 09:46

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 09:46

Reported

2024-08-12 09:47

Platform

win10-20240404-en

Max time kernel

25s

Max time network

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CorkDork\CorkDork.exe"

Signatures

AsyncRat

rat asyncrat

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\a67d0793b81bf09d40cfe4225fcd112a\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE N/A
File created C:\Users\Admin\AppData\Local\a67d0793b81bf09d40cfe4225fcd112a\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE N/A
File created C:\Users\Admin\AppData\Local\a67d0793b81bf09d40cfe4225fcd112a\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE N/A
File created C:\Users\Admin\AppData\Local\a67d0793b81bf09d40cfe4225fcd112a\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE N/A
File created C:\Users\Admin\AppData\Local\a67d0793b81bf09d40cfe4225fcd112a\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\a67d0793b81bf09d40cfe4225fcd112a\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE N/A
File created C:\Users\Admin\AppData\Local\a67d0793b81bf09d40cfe4225fcd112a\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CorkDork\CorkDork.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\LET.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\CorkDork\CorkDork.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE
PID 1468 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\CorkDork\CorkDork.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE
PID 1468 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\CorkDork\CorkDork.exe C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE
PID 1468 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\CorkDork\CorkDork.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE
PID 1468 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\CorkDork\CorkDork.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE
PID 1468 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\CorkDork\CorkDork.exe C:\Users\Admin\AppData\Local\Temp\LET.EXE
PID 2348 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\LET.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE
PID 2348 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\LET.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE
PID 2348 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\LET.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE
PID 3308 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE C:\Windows\svchost.com
PID 3308 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE C:\Windows\svchost.com
PID 3308 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE C:\Windows\svchost.com
PID 4564 wrote to memory of 688 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE
PID 4564 wrote to memory of 688 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE
PID 4276 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE C:\Windows\SysWOW64\cmd.exe
PID 4276 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE C:\Windows\SysWOW64\cmd.exe
PID 4276 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2912 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2912 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2912 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2912 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2912 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2912 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2912 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2912 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4276 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE C:\Windows\SysWOW64\cmd.exe
PID 4276 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE C:\Windows\SysWOW64\cmd.exe
PID 4276 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1328 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1328 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1328 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1328 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1328 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4276 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE C:\Windows\svchost.com
PID 4276 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE C:\Windows\svchost.com
PID 4276 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE C:\Windows\svchost.com
PID 2352 wrote to memory of 4364 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 2352 wrote to memory of 4364 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 2352 wrote to memory of 4364 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CorkDork\CorkDork.exe

"C:\Users\Admin\AppData\Local\Temp\CorkDork\CorkDork.exe"

C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE

"C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE"

C:\Users\Admin\AppData\Local\Temp\LET.EXE

"C:\Users\Admin\AppData\Local\Temp\LET.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /sc ONLOGON /RL HIGHEST /tn Chrome Update /tr C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 google.com udp
N/A 127.0.0.1:8808 tcp

Files

C:\Users\Admin\AppData\Local\Temp\CORKDORK.EXE

MD5 295d4dbb9f17e31662e4ef6974241e99
SHA1 153db0c9938e262a8e856b7e9eb464b4affa277e
SHA256 0e8d9b61e66a987fe1b5095809c356e1a9c21a4259a1a45627eace8177c9d0db
SHA512 4784d804f72f53a417570209779234520dd808929a90289b3234fc74f04858bca519f82a8b077994c09457b3417c732452dd8b964c6f29c0e46b265d0001ac19

C:\Users\Admin\AppData\Local\Temp\LET.EXE

MD5 cb66ae727ba5ed3a3c1b1fc60dadb152
SHA1 6def0bea71e985e041c5796b959814b36d75e551
SHA256 51c82632119b14af345b42ec4bce4c780d81502b8ec67b63b631c6830fb845d6
SHA512 84b9219eac6fc235f74a063cad74625350132b4481c5653fa47ba8dbb0319798a5c1d5aa07701e4b542bd7fc8330dcfc3ce4037baa4af86a0bbea1d6e9b2c901

C:\Users\Admin\AppData\Local\Temp\3582-490\LET.EXE

MD5 c7235b3be7873e0743aba6235cd3d677
SHA1 2481321813caff4ded19135c86301f899fb19f66
SHA256 4902c56dfa5b513df7c00f8fe5df90dcc46a03f194dca424ebbf6f03e7904486
SHA512 7310beb111ca489fd6348d40cea921d8854d99858cb2b9dc7d8211009a8c958374832f585f2cb25962e7ed3a453ca11102b7fb47be0eff8d2a7bc2b564928860

C:\Windows\svchost.com

MD5 36fd5e09c417c767a952b4609d73a54b
SHA1 299399c5a2403080a5bf67fb46faec210025b36d
SHA256 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA512 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

C:\Users\Admin\AppData\Local\Temp\3582-490\CORKDORK.EXE

MD5 f805da8f88fa7eabcca04193930536a6
SHA1 0e48bfa7a6ffce66a79310ddb22ec117977fe00d
SHA256 2ecb7bda738d769714e788e310d5e47c99078dbbce3c0f35d881e2a457300099
SHA512 feaf6c9b2065f13808d0842f549388130d8c264617dc5200ad57912f1a0fe2b1e6ba10f63a2dd1ee306477895d266e886b931a1ae7171b51dc3cf86a5391568f

memory/4564-26-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4276-27-0x0000000000410000-0x0000000000442000-memory.dmp

memory/4276-28-0x0000000004C50000-0x0000000004CB6000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

MD5 58f9bc16408d4db56519691315bb8a75
SHA1 ac94543044371e3ea49918eb0f114a29ab303004
SHA256 5562973f2b3aa9d0c6184143360f7861b4129605f5e63b896ad815f381e6475b
SHA512 e1884456f86bb7cf7d268942f6fc1bacaa550eac31aaf186d9e95c15bdc41d05638cfdea1762c92681225af72008d251b101e8f291e3a74f382832336b82d39d

C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

MD5 cce8964848413b49f18a44da9cb0a79b
SHA1 0b7452100d400acebb1c1887542f322a92cbd7ae
SHA256 fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512 bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

MD5 8c753d6448183dea5269445738486e01
SHA1 ebbbdc0022ca7487cd6294714cd3fbcb70923af9
SHA256 473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997
SHA512 4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

MD5 176436d406fd1aabebae353963b3ebcf
SHA1 9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a
SHA256 2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f
SHA512 a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

MD5 12c29dd57aa69f45ddd2e47620e0a8d9
SHA1 ba297aa3fe237ca916257bc46370b360a2db2223
SHA256 22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880
SHA512 255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

MD5 92dc0a5b61c98ac6ca3c9e09711e0a5d
SHA1 f809f50cfdfbc469561bced921d0bad343a0d7b4
SHA256 3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc
SHA512 d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 cbd96ba6abe7564cb5980502eec0b5f6
SHA1 74e1fe1429cec3e91f55364e5cb8385a64bb0006
SHA256 405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa
SHA512 a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

MD5 10748253009c18f4695b7043dcf36fdc
SHA1 22d24c7b4cd0b280f09a76534545cfdc1d66a256
SHA256 3bee29dd355e50cdf24736a2a53d8fffd9cd93e702109f20d65a7e2e2fcfd9f1
SHA512 477462d114a9aac7aead3483a5a038f1fc4484514c2aa0a4c6d6aab30075056ad439592b1f9a72cf4c4499eefa8aeb744e0c2dad439ef8efae795611df352080

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

MD5 fbbde1cc9128fff8bdffd792e6ea8cce
SHA1 480368754e21ff97ded1f55f736c1427bb388ca3
SHA256 c26681e4c77fac521ec4ba461e34bbe17bdf566af7c004c96e30b8fc785af73c
SHA512 2ecb93ddb1f58e0f3b845e80c76b706b0adc4ab30220eda837cdf13723a730f725e97f81d2f76ef8e0148703ba8e0d4dd57a03f303d09fee78bed0bd5a0ff274

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

MD5 f1dd0a0fe1c98603a4d5666f5175a911
SHA1 12bc988ea7a55e6d7fd4c7a59d74393bb8473d4d
SHA256 f5bf98813e2d5a12f3b78f02108f7d16436e2454770599859b1e694d97df4264
SHA512 3196905919cb6c45d287ab9a26d5970ccf710d092c166202e0919989703584dfeab416adc998a50104a7a76fe175838de5544904a32bbc96e19c2f68362ce895

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

MD5 400836f307cf7dbfb469cefd3b0391e7
SHA1 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256 cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512 aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

MD5 96a14f39834c93363eebf40ae941242c
SHA1 5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc
SHA256 8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a
SHA512 fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

MD5 7e3b8ddfa6bd68ca8f557254c3188aea
SHA1 bafaaaa987c86048b0cf0153e1147e1bbad39b0c
SHA256 8270ecef6079a21f5ae22f1a473e5eb8abac51628367f4acf6466529ba11d7e2
SHA512 675ca07cdb787b3f624eae9707daf519214f8dc4670c524cef5110c9dba197e833cedb051919c757c58a3687e63cf175d1397d8ce69c5995f4eab3b85f6dafbb

C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

MD5 63dc05e27a0b43bf25f151751b481b8c
SHA1 b20321483dac62bce0aa0cef1d193d247747e189
SHA256 7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512 374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe

MD5 05bdfd8a3128ab14d96818f43ebe9c0e
SHA1 495cbbd020391e05d11c52aa23bdae7b89532eb7
SHA256 7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb
SHA512 8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

MD5 e19544c111fefa491cfe53b99f8bebc2
SHA1 a05e096689dd82751ccd0a4eec0db54a5f972830
SHA256 82a14caee30a4f86dd143015fc852220a36cc96cdbb9f65aaca87d80f2c43762
SHA512 0f017e3aeea8de42195687c2745b9eccc174e6430149edf22a8f4b5fc24e7881654ba7c55ed2327b9c710787dffa3c438c0d99b06e7e12f6126bc3e86392d4db

C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE

MD5 87f15006aea3b4433e226882a56f188d
SHA1 e3ad6beb8229af62b0824151dbf546c0506d4f65
SHA256 8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919
SHA512 b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

MD5 07e194ce831b1846111eb6c8b176c86e
SHA1 b9c83ec3b0949cb661878fb1a8b43a073e15baf1
SHA256 d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac
SHA512 55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe

MD5 3a3a71a5df2d162555fcda9bc0993d74
SHA1 95c7400f85325eba9b0a92abd80ea64b76917a1a
SHA256 0a023355d1cc0a2348475d63aaf6aa0521d11e12a5c70102d7b3ebde092849e8
SHA512 9ad76ccce76ccfe8292bca8def5bc7255e7ea0ba6d92130c4350da49a3d7faef2d46b08aaef1955f3f4ea0a2e22451562b5e08783a79f794724584e409cf7837

C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXE

MD5 1319acbba64ecbcd5e3f16fc3acd693c
SHA1 f5d64f97194846bd0564d20ee290d35dd3df40b0
SHA256 8c6f9493c2045bb7c08630cf3709a63e221001f04289b311efb259de3eb76bce
SHA512 abbbb0abfff1698e2d3c4d27d84421b90abba1238b45884b82ace20d11ddfdd92bf206519fc01714235fb840258bb1c647c544b9a19d36f155bf3224916805b8

C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

MD5 9c10a5ec52c145d340df7eafdb69c478
SHA1 57f3d99e41d123ad5f185fc21454367a7285db42
SHA256 ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA512 2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

MD5 9597098cfbc45fae685d9480d135ed13
SHA1 84401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA256 45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA512 16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

MD5 cc5020b193486a88f373bedca78e24c8
SHA1 61744a1675ce10ddd196129b49331d517d7da884
SHA256 e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a
SHA512 bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2

memory/4276-123-0x00000000057F0000-0x0000000005CEE000-memory.dmp

memory/4276-124-0x00000000053D0000-0x0000000005462000-memory.dmp

C:\Users\Admin\AppData\Local\a67d0793b81bf09d40cfe4225fcd112a\Admin@KZOWYSNI_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\a67d0793b81bf09d40cfe4225fcd112a\Admin@KZOWYSNI_en-US\System\Process.txt

MD5 174cb188d56c3ad3cc272e009176f1e5
SHA1 3c42a64f73bab17e5e34a5af7203122ad1df3ff5
SHA256 b1eb093936cd24a13b8286c4006f24d3df2195d0fcf3b402d716e9dd14003794
SHA512 558debc3983900f644a62e6778435ce7fbc4ac6ad8100d940867e74e804d6ef22d3a6b00be3cfed12c5672d9a5e7fcec0be91f302b2d77741100145a0fa2a61c

memory/3308-246-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2348-247-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4276-250-0x0000000006260000-0x000000000626A000-memory.dmp

C:\Users\Admin\AppData\Local\fc0fc587d9be559b26d1a0354bfed02a\msgid.dat

MD5 0dfccf6d4f0d6716824f7d68ef8badab
SHA1 7e1a429febcf84e115f9ecf20354a18e19d13d9b
SHA256 3645c41918d470b8f3cf253a2a39a3d7219ac773d426767b37d886c39e7ea3da
SHA512 393199e696ae4928cc9d0c9c35711a704b31834a07f3882b73c3a4695c423a5507406ed64221e791525b654ca549c6533d04dc16e0a6caf24b7f875b7cce05be

memory/4276-256-0x00000000068F0000-0x0000000006902000-memory.dmp

memory/3308-282-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2348-283-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\config.yml

MD5 a8f91823504ed4d56839e8c311cbdb5a
SHA1 f1e2a6b65b05f8fd20b40513f78139edf36a3e84
SHA256 da9da728d2cd148e6a92b28c4e61a706ca43fa20bd39033e6a4b975c59d5347c
SHA512 77e57f3d89de18280cfb44e5aad7cfdfc11b29300ef12e50b705269a6c15341c6683c4ec3fcbfa7c7e42d2e6cc0b06dbf36d280db60b492c0ce1347fcc982686

C:\Windows\directx.sys

MD5 0724bbe09bf2c8a60b13422c8ffad59c
SHA1 0f01b06e13362cfe49dbaddf9388988b1b35e44a
SHA256 c3a250bb2e63a794bfb147e49faea145b30e7c149eba61164a534773ca3649ae
SHA512 6e0a69d1b23caccc7d1b1d10b412763d230c543558a73fdaf2355bc5cc28ad450a6ac7e14a22908bd676fe088d34da898e2facb1d6392e10e8561f4e017327a7

memory/2352-296-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2348-304-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4276-302-0x0000000007580000-0x000000000758A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

MD5 4a5d595afc8c8f296ec0586c8899d732
SHA1 08eaab2d626e3ad64c0c85c7b6e47c42daf8f36b
SHA256 6441f427007f3422f90fac72f1066be0eca4821183dc02204f0f6312a69b9f47
SHA512 1675dcbedb284a80c2ca44d1494cf5ba3b41a352670da572160bae3875319ae59aedd13cbbe922e8da8b463a263cf802d9229f9005334f82463bae24f64f6ba8

memory/3308-303-0x0000000000400000-0x000000000041B000-memory.dmp