Malware Analysis Report

2024-10-18 21:31

Sample ID 240814-btqbaatfkc
Target e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe
SHA256 e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5
Tags
asyncrat stormkitty default credential_access discovery persistence privilege_escalation rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5

Threat Level: Known bad

The file e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default credential_access discovery persistence privilege_escalation rat spyware stealer

StormKitty

AsyncRat

StormKitty payload

Async RAT payload

Credentials from Password Stores: Credentials from Web Browsers

.NET Reactor proctector

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Looks up geolocation information via web service

Looks up external IP address via web service

Drops desktop.ini file(s)

Event Triggered Execution: Netsh Helper DLL

System Network Configuration Discovery: Wi-Fi Discovery

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 01:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 01:26

Reported

2024-08-14 01:28

Platform

win7-20240708-en

Max time kernel

145s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\ee5d9b0cdbdf4e9e34ffe88006f2f0ca\Admin@WHMFPZKA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\ee5d9b0cdbdf4e9e34ffe88006f2f0ca\Admin@WHMFPZKA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\ee5d9b0cdbdf4e9e34ffe88006f2f0ca\Admin@WHMFPZKA_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\ee5d9b0cdbdf4e9e34ffe88006f2f0ca\Admin@WHMFPZKA_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\ee5d9b0cdbdf4e9e34ffe88006f2f0ca\Admin@WHMFPZKA_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\ee5d9b0cdbdf4e9e34ffe88006f2f0ca\Admin@WHMFPZKA_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\ee5d9b0cdbdf4e9e34ffe88006f2f0ca\Admin@WHMFPZKA_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\ee5d9b0cdbdf4e9e34ffe88006f2f0ca\Admin@WHMFPZKA_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe
PID 2624 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe
PID 2624 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe
PID 2624 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe
PID 2624 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe
PID 2624 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe
PID 2624 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe
PID 2624 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe
PID 2776 wrote to memory of 9016 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 9016 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 9016 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 9016 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 9016 wrote to memory of 9036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 9016 wrote to memory of 9036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 9016 wrote to memory of 9036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 9016 wrote to memory of 9036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 9016 wrote to memory of 9044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 9016 wrote to memory of 9044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 9016 wrote to memory of 9044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 9016 wrote to memory of 9044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 9016 wrote to memory of 9052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 9016 wrote to memory of 9052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 9016 wrote to memory of 9052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 9016 wrote to memory of 9052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2776 wrote to memory of 9084 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 9084 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 9084 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 9084 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 9084 wrote to memory of 9104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 9084 wrote to memory of 9104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 9084 wrote to memory of 9104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 9084 wrote to memory of 9104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 9084 wrote to memory of 9112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 9084 wrote to memory of 9112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 9084 wrote to memory of 9112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 9084 wrote to memory of 9112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe

"C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe"

C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe

"C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe"

C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe

"C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/2624-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

memory/2624-1-0x0000000000180000-0x00000000005D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe

MD5 5e2849bef6a38ed0b163ea6128afea01
SHA1 d77e1467dcd5e6662a6b97de35cb017579af032a
SHA256 6ec13e13059bac123d839fde5770db2c87248ef862d21f5f818580287a365026
SHA512 e20bcb346b114c5e6f8f0e82d2143a7c02ffc77056983336a011fbe8e292d8fa0ed8d2aebaa6f665ffacfa1063f59a2788bc68bbe2605316d7791eec3a1e1cfb

\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe

MD5 b2795fbed63c8c1b0846b3eaeae2fe0f
SHA1 d1145cff21e008c9ad581ccf1719139d754355de
SHA256 5ea467d548d41b747370a235c9a245910ed58d55482a48246196faf391213c24
SHA512 47ffcc3c74113db4c389ba9a6b5db7ce325d1f63e431405a9f6613918c387de4a677f20804aad6aa458bf2151de418c2f72740f4f5083fb45bf6c4b0f564e564

memory/2776-24-0x0000000004A10000-0x0000000004AF4000-memory.dmp

memory/2776-25-0x0000000004820000-0x0000000004902000-memory.dmp

memory/2776-26-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-31-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-47-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-27-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-37-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-35-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-39-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-33-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-29-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-45-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-43-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-41-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-49-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-63-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-79-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-89-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-87-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-85-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-83-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-81-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-77-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-75-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-73-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-71-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-69-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-67-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-65-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-61-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-59-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-57-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-55-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-53-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-51-0x0000000004820000-0x00000000048FC000-memory.dmp

memory/2776-2274-0x0000000002010000-0x0000000002040000-memory.dmp

C:\Users\Admin\AppData\Local\500d44eef58379767f8522bf3bde64f6\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 01:26

Reported

2024-08-14 01:28

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\c09dc33cc97a01ce6a55dd66965683f5\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\c09dc33cc97a01ce6a55dd66965683f5\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\c09dc33cc97a01ce6a55dd66965683f5\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\c09dc33cc97a01ce6a55dd66965683f5\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\c09dc33cc97a01ce6a55dd66965683f5\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\c09dc33cc97a01ce6a55dd66965683f5\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\c09dc33cc97a01ce6a55dd66965683f5\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\c09dc33cc97a01ce6a55dd66965683f5\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
File created C:\Users\Admin\AppData\Local\c09dc33cc97a01ce6a55dd66965683f5\Admin@ZEUYFSYD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe
PID 1280 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe
PID 1280 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe
PID 1280 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe
PID 1280 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe
PID 3100 wrote to memory of 5352 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 5352 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 5352 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 5352 wrote to memory of 5844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5352 wrote to memory of 5844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5352 wrote to memory of 5844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5352 wrote to memory of 5876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5352 wrote to memory of 5876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5352 wrote to memory of 5876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5352 wrote to memory of 5888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5352 wrote to memory of 5888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5352 wrote to memory of 5888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3100 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe C:\Windows\SysWOW64\cmd.exe
PID 5368 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5368 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5368 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5368 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5368 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5368 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe

"C:\Users\Admin\AppData\Local\Temp\e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5.exe"

C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe

"C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe"

C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe

"C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/1280-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

memory/1280-1-0x0000000000DC0000-0x0000000001212000-memory.dmp

memory/1280-2-0x0000000005C60000-0x0000000005CFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\winrar_x64_701ar.exe

MD5 5e2849bef6a38ed0b163ea6128afea01
SHA1 d77e1467dcd5e6662a6b97de35cb017579af032a
SHA256 6ec13e13059bac123d839fde5770db2c87248ef862d21f5f818580287a365026
SHA512 e20bcb346b114c5e6f8f0e82d2143a7c02ffc77056983336a011fbe8e292d8fa0ed8d2aebaa6f665ffacfa1063f59a2788bc68bbe2605316d7791eec3a1e1cfb

C:\Users\Admin\AppData\Local\Temp\_microsoft_corporation.exe

MD5 b2795fbed63c8c1b0846b3eaeae2fe0f
SHA1 d1145cff21e008c9ad581ccf1719139d754355de
SHA256 5ea467d548d41b747370a235c9a245910ed58d55482a48246196faf391213c24
SHA512 47ffcc3c74113db4c389ba9a6b5db7ce325d1f63e431405a9f6613918c387de4a677f20804aad6aa458bf2151de418c2f72740f4f5083fb45bf6c4b0f564e564

memory/3100-27-0x0000000004C70000-0x0000000004D54000-memory.dmp

memory/3100-28-0x0000000004D50000-0x00000000052F4000-memory.dmp

memory/3100-29-0x0000000004B80000-0x0000000004C62000-memory.dmp

memory/3100-35-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-30-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-49-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-75-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-93-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-91-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-89-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-87-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-85-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-83-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-81-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-79-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-77-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-73-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-71-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-69-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-65-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-59-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-55-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-53-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-52-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-47-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-45-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-43-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-41-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-39-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-37-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-33-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-67-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-31-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-63-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-61-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-57-0x0000000004B80000-0x0000000004C5C000-memory.dmp

memory/3100-2278-0x00000000045D0000-0x0000000004600000-memory.dmp

memory/3100-2279-0x0000000005590000-0x00000000055F6000-memory.dmp

C:\Users\Admin\AppData\Local\c09dc33cc97a01ce6a55dd66965683f5\Admin@ZEUYFSYD_en-US\System\Process.txt

MD5 6e7e64564276a0217c9c06bf04f86a83
SHA1 4425328a649f67e7420a99b8575686bd563a3cce
SHA256 2dd396d495c3b327189752e968a2fd620e5178677fc8066aff694a54cee69521
SHA512 4ec1a94c9f1bbb04e343b00f0a775359b0105983e06d9dcc1490902fd54a22a73d6e8a33f597cb023dff5d24fee6962245e9a550c53a8e5b0d5085885db2e7d1

memory/3100-2429-0x0000000006450000-0x00000000064E2000-memory.dmp

memory/3100-2433-0x0000000006580000-0x000000000658A000-memory.dmp

C:\Users\Admin\AppData\Local\2d36cc9d40bd48127a0b54f637b5251f\msgid.dat

MD5 c417ae1e153dcef5d3f4c03d326fec02
SHA1 fa8ac6f47be77d0b17c4a2a1ef2e563748750bbe
SHA256 9e67f26ef5e2613063e20c2c84630e21b607f2da1100d1992894b3ecf7a7ddf2
SHA512 9716dea64d6fe48a860fcc54e1d8c629712f7a33fc984dd1ef648ab24966823a8eff3408e9af1f29d5c4fd4f01daa2bafab59b1994cd79a968996e0559a3b37a

memory/3100-2439-0x00000000066A0000-0x00000000066B2000-memory.dmp

C:\Users\Admin\AppData\Local\c09dc33cc97a01ce6a55dd66965683f5\Admin@ZEUYFSYD_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7