Malware Analysis Report

2024-10-18 21:30

Sample ID 240817-vv41lsxbqa
Target 8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523
SHA256 8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523
Tags
stormkitty xworm collection credential_access discovery execution persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523

Threat Level: Known bad

The file 8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523 was found to be: Known bad.

Malicious Activity Summary

stormkitty xworm collection credential_access discovery execution persistence rat spyware stealer trojan

Detect Xworm Payload

Xworm

StormKitty payload

StormKitty

Credentials from Password Stores: Credentials from Web Browsers

Command and Scripting Interpreter: PowerShell

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops desktop.ini file(s)

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 17:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 17:19

Reported

2024-08-17 17:22

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\ProgramData\OARDHGDN\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
File created C:\ProgramData\OARDHGDN\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
File created C:\ProgramData\OARDHGDN\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
File created C:\ProgramData\OARDHGDN\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A freegeoip.app N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1708 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1708 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe C:\Users\Admin\AppData\Local\Temp\zzzz.exe
PID 1708 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe C:\Users\Admin\AppData\Local\Temp\zzzz.exe
PID 1708 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe C:\Users\Admin\AppData\Local\Temp\zzzz.exe
PID 3912 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe

"C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\zzzz.exe

"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 172.67.160.84:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ipbase.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 84.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 172.67.209.71:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 71.209.67.172.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 sites-sing.gl.at.ply.gg udp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp

Files

memory/1708-0-0x00007FFD766D3000-0x00007FFD766D5000-memory.dmp

memory/1708-1-0x0000000000B30000-0x0000000000B5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 90feaeac1ed833652f5267124acd8293
SHA1 ba3fa9aa1c28e54d712bf8766234410d56494859
SHA256 a9ad869209d1344ab64479f2f1557291b97358451a4aa6d32da2f570de02851b
SHA512 0b29579c520bd59fddb14e50c2f4c7ab407ee6177cc2682461c1308f78bacfc151b5d3fc16c2b5b566fca40fdba683cf403b7efaa23fe3b9b5efec1ad0568042

memory/1708-22-0x00007FFD766D0000-0x00007FFD77191000-memory.dmp

memory/3912-23-0x0000000000290000-0x00000000002A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zzzz.exe

MD5 de4824c195cf1b2bb498511ef461e49b
SHA1 f15ca6d0e02c785cce091dbd716cd43e3f5a80bd
SHA256 51813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209
SHA512 b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a

memory/1708-27-0x00007FFD766D0000-0x00007FFD77191000-memory.dmp

memory/3912-28-0x00007FFD766D0000-0x00007FFD77191000-memory.dmp

memory/3304-29-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

memory/3304-30-0x0000000000610000-0x0000000000666000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p3brrn0s.zqm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4668-74-0x000002740F790000-0x000002740F7B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb1ad317bd25b55b2bbdce8a28a74a94
SHA1 98a3978be4d10d62e7411946474579ee5bdc5ea6
SHA256 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512 d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

memory/3912-118-0x00007FFD766D0000-0x00007FFD77191000-memory.dmp

memory/3304-119-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

memory/3304-132-0x0000000006380000-0x0000000006412000-memory.dmp

memory/3304-133-0x00000000069D0000-0x0000000006F74000-memory.dmp

memory/3304-138-0x0000000006710000-0x0000000006776000-memory.dmp

C:\ProgramData\OARDHGDN\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\ProgramData\OARDHGDN\Process.txt

MD5 5bd73d85694c0fdd9f6738eab192cb89
SHA1 182fde5cd98659e8f7f23dc131e38e84f13135e9
SHA256 52d986dd1f099c75355bf88d2e256729bf6e7e5b588b0976fe3e08e083e28f59
SHA512 a19021fbea1a6dc88bc766fe900e227bc7f0059f423e3e12c45f0f6eacdec6e04a11901d2d213bd0b16413d88f7b7a5f083f0515a1f85e19e9fa2fd82f33b965

C:\ProgramData\OARDHGDN\FileGrabber\Desktop\CheckpointEnter.rtf

MD5 ad0a983f6478af5396fcbe0a98039ffa
SHA1 1296a5d84d835dbbf3dbe2be02b77305b01b2f5f
SHA256 3928de7e8a41a69509c03702bc9737d93c9f23694cc7880518ccdfed3d814820
SHA512 e6d5c89527f14ed40b73c3a2d7229c7f61fb7fdf8e7187cc9eb8dd8cf29cb3e566ccb591837fc81ea59b0011b636e6ec9b9f2a3c3a4ee57491bf94d4f9c3f837

C:\ProgramData\OARDHGDN\FileGrabber\Desktop\FormatRestore.css

MD5 86b57ec464c2c20a202a1f3872b098c5
SHA1 8b1a0330c0f6fc5c00d4886b0a3a880feeb92eb6
SHA256 56720e9beac72c6d33efe0e1841b346fb7f8c05bb0dbcca298cecfa605f8c736
SHA512 1937f9163f9212b55c3ad24678bfcf6cd7a95e27ae408ea5499b2b871359d739bc1ec731f9b310f75a4d2af2b649b61cb5b46433454f29bd21aad9f4955d2080

C:\ProgramData\OARDHGDN\FileGrabber\Desktop\NewPing.xlsx

MD5 e037dd87bec8a0fdf3636b3e4fb72c40
SHA1 72019ee9c2ebaf0f7a7688782f6a2b3b7b915690
SHA256 a5dc12d32df8ce4e06832ab570d741120b8e73276456755c853c5a720a226d82
SHA512 5da877836dc2cc06088d1d9bc5361288a204b516ffa4c9016c5ca37feb7383c1d35dfba2946ef63c77f9fe72f647090a0ecd9d085efb8280f3defd081038cda0

C:\ProgramData\OARDHGDN\FileGrabber\Desktop\RemoveOpen.docx

MD5 e1109a46dd58685a9eb905806c617926
SHA1 5ff1fe5382974997ea72c8bfb1f5f20b21962ade
SHA256 6289568fe75b551141a9041039fa1848876df142434b15a961407e9a91ff6e77
SHA512 473136abe10abb9f2df54c1e336d98608a39eaac3b28d8bd1dc8789417eb9745952f76216456d2fcad4521bf370d85b8c08f82dd263c20101028e68bfaa57a4c

C:\ProgramData\OARDHGDN\FileGrabber\Desktop\SendSync.pptx

MD5 c68cd01ed3f0899ab903d147f49e62ac
SHA1 6e0a72ab95a8c7ab76b59c003ee0d41b63d849f4
SHA256 a4b335cd48f864e189d51b083164a55bc779f44fad43971e1d471921b4d37178
SHA512 54ba9b7a62841cb5fb7468cab18175412b7dd2b3a8855a98ac8c524d32841452be3e8c2b91734b9dc12444c55cfe896914cecbc8e05b9ab60786988b4a112664

C:\ProgramData\OARDHGDN\FileGrabber\Documents\CompressConfirm.docx

MD5 8650063ea430fe657dafb50e55b54b97
SHA1 ce946a29c1cb7fc069a1c027f7490b8b2037414b
SHA256 1527f1ea7b4068c921cbdf3a7d77439983826c8b7b56c87df12d54b171f2e60c
SHA512 7c0dae2b7e2b10278d271c30ea595f0eb04a21cdc1142e652ab72f05336801252ab67054114c78e52dd79c1cd333bd8584bf03c8f1529a70f8d10dbe2563bbfb

C:\ProgramData\OARDHGDN\FileGrabber\Documents\DisconnectTrace.pdf

MD5 f7d8a3b0e8c4c7148a6649dd432743a3
SHA1 9aa24fea52beaca7649c6f616b1887fc656434e5
SHA256 28f062f4a10580e6926cdeba5d6b84a3b959eac10926c5931cb49526b269a694
SHA512 edf89420f38aea46449399c82c0628ec127803299d7e8f1e05cefc6a578967dde9f59242798909581ef0d0c1d1a68786edf2343c54eb72a0b9c66070d252dcbd

C:\ProgramData\OARDHGDN\FileGrabber\Documents\GetAdd.txt

MD5 5d1198db55d6933af56d4b9ed80d5f6d
SHA1 7124b0974bb4f3d57e212f5eb3b62b3142a5e722
SHA256 ec368770d0b659962a01ea42e1fd5c7d71f9fd78d0c0fef5c0d446a328b2b98d
SHA512 c93dae8d081d73263dacaeeef509495ec39f699a82e3b9165e8d156d595c0b7b91aeacbde13760f4fbc0e66ba1ff16695faae3b7a6f8d3b86725e6593e60e69d

C:\ProgramData\OARDHGDN\FileGrabber\Downloads\DenyRestore.jpeg

MD5 b47b6dc326379b776be7056bc68121d0
SHA1 efd9e0bd87abc8e7bb9fed05b2a016ccc452601a
SHA256 7659b8eb3f1642870c935380a70dac6c909a3bec0f1d8e1571a73af7c995dcef
SHA512 249ce047d5793db1b81cbbcd94a1e2129988b6e10c1f5b0cd3c5199a7364d0af4ab5cbe230f835be01dba09d7e47b7c61615d994568e4f8ed6fec65aa14aadb7

C:\ProgramData\OARDHGDN\FileGrabber\Downloads\MeasureExport.css

MD5 1cacf7f00bd9ff35696aabbf67380dba
SHA1 d85b9ba3cee5f769bf2a5f8595a90b4fe3f80bd9
SHA256 bff278707dff6c1b42447d487ec5aec6385fced450439d47f91a716f6d579e0a
SHA512 939ec60ef85e7d1e33c7d1c2f74afd885ae40c9dfb8f6ff0aa929c37213063fa0720d5f45a73297241da0d23e9d7703e751e84a58ef6383d2a466ccd18f103bb

C:\ProgramData\OARDHGDN\FileGrabber\Downloads\TraceSave.ppt

MD5 bee6ccf93f1b9a4da4f55405ee4a4b7e
SHA1 5f84cb045592149d4bb8cd9527ea107887938879
SHA256 7338e05c3abd6311e47d201be3b4b2f8afed2b8ebf0bdb53d385931cd26dda50
SHA512 a4e571a319f4055981b36b741cb5fc32882a947974c09407189df0d9bd1a13d1fcb66db460dd59c30ec743fb1124f895b1170047240aa7fdd0311cf125fe9bf0

C:\ProgramData\OARDHGDN\FileGrabber\Pictures\ExpandEdit.jpg

MD5 2485be2813a57f9be6d91e87b18c17a8
SHA1 b0209421203e0431c573eff51fbd7966400f17dc
SHA256 0e17a3be7f9976391892008ff71f78b0793f0c22cd64ba6d736887b1f7d58912
SHA512 c1fede9318b1fbd72acc043ca65a57d7b43a3ed3263575af806eb98e7a8eed406c6af3132f00bd164d4acf630344c8cc088346c2a1844f3fc30dcd68fd6d043b

C:\ProgramData\OARDHGDN\FileGrabber\Pictures\InstallSet.bmp

MD5 a21f4feeddbb9488420fa202f7d70828
SHA1 d0b41cc3b912503757fbe87348f65a77c36871f1
SHA256 e5b0044fe4f65b9421c94ce05af41e88f49c03d410299f27ddf8815bb55a7ead
SHA512 d6801028aae52e358214067a889e824c7bbb0eb59efb863c1bdf99f204cef8918cdcfa991a31d64a2888b83bbd1d396ca521f1a35f5f45523edbaebf68a2c213

C:\ProgramData\OARDHGDN\FileGrabber\Pictures\MergeConvert.svg

MD5 b77d53630ac8ed6d777e9d1671aa4e2a
SHA1 1d7dfc4f532317bdaa9114f1de8e958a48130a97
SHA256 85b1830880c7bc6d2371e35951d5a88244b177ef1eeba5b252ba74f1ef589279
SHA512 bfb757df6ab586f167ef32bccaf2a4ef53d194a27443e9dcb434c180b4c14be9b006da6cd417cead3e5e8b36b726df4998c6c622ffc8d5ef2fee2124c49e5d82

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 17:19

Reported

2024-08-17 17:22

Platform

win7-20240708-en

Max time kernel

129s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\ProgramData\MUYDDIIS\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
File created C:\ProgramData\MUYDDIIS\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
File created C:\ProgramData\MUYDDIIS\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
File created C:\ProgramData\MUYDDIIS\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2480 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2480 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2480 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe C:\Users\Admin\AppData\Local\Temp\zzzz.exe
PID 2480 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe C:\Users\Admin\AppData\Local\Temp\zzzz.exe
PID 2480 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe C:\Users\Admin\AppData\Local\Temp\zzzz.exe
PID 2480 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe C:\Users\Admin\AppData\Local\Temp\zzzz.exe
PID 2940 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe

"C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\zzzz.exe

"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 104.21.73.97:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 ipbase.com udp
US 104.21.85.189:443 ipbase.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 208.95.112.1:80 ip-api.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 sites-sing.gl.at.ply.gg udp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp

Files

memory/2480-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

memory/2480-1-0x0000000000CD0000-0x0000000000CFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 90feaeac1ed833652f5267124acd8293
SHA1 ba3fa9aa1c28e54d712bf8766234410d56494859
SHA256 a9ad869209d1344ab64479f2f1557291b97358451a4aa6d32da2f570de02851b
SHA512 0b29579c520bd59fddb14e50c2f4c7ab407ee6177cc2682461c1308f78bacfc151b5d3fc16c2b5b566fca40fdba683cf403b7efaa23fe3b9b5efec1ad0568042

C:\Users\Admin\AppData\Local\Temp\zzzz.exe

MD5 de4824c195cf1b2bb498511ef461e49b
SHA1 f15ca6d0e02c785cce091dbd716cd43e3f5a80bd
SHA256 51813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209
SHA512 b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a

memory/2940-13-0x0000000001350000-0x0000000001360000-memory.dmp

memory/2480-14-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

memory/2936-15-0x0000000000F50000-0x0000000000FA6000-memory.dmp

memory/2940-16-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

C:\ProgramData\MUYDDIIS\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/1800-91-0x000000001B8C0000-0x000000001BBA2000-memory.dmp

memory/1800-92-0x00000000026E0000-0x00000000026E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9e15157b00e6c377e52f739ab5f09ad5
SHA1 633facc32a4501fac0ea66a7c46afa897dd64506
SHA256 9183046b5792c1bd784834d3e2772d63b01283fd34ecfb890efd6dec2767bc39
SHA512 081ed449e3afe0c28d06a1df33827f7c7eafad86c548d698059729281ab88771066834fc174e8cc23febf79f0fdafdb02441146efa735932bfb0bfa57a3e563b

memory/1304-101-0x000000001B6A0000-0x000000001B982000-memory.dmp

memory/1304-102-0x0000000000370000-0x0000000000378000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2940-122-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

C:\ProgramData\MUYDDIIS\FileGrabber\Desktop\LockRevoke.png

MD5 5f106570d81458e9280086d6a86904aa
SHA1 02442b5ee510a4c260f3c06d4ab7002973367880
SHA256 b3cd31157b20d777c01057303bf2ed6c53bfbdce5cca33e03b3da29febd9c2bc
SHA512 e757be4cf54ccb19dadd0e99e3d9424a174c0318ee66ee8df40af250351f4a130a3d67139a7244e85fae3d13374a165f02b93888776f85b31ca0aea642dd046d

C:\ProgramData\MUYDDIIS\FileGrabber\Desktop\PingTest.html

MD5 345ceda7e465986632070c4535042693
SHA1 d4aff995ea683104ca8a90c7050575282a5bf75b
SHA256 c03fd4804da45fac2d029f5ae0b0f9fe96c0af1c0864e69e5894d2faa3a1f8c7
SHA512 3d14d9f22b078d182f36a2d7bfeb25b31d9c23b8b51902d120a330950ae8693f109ad6e3582069a9642f8128747e514bd2576e2eb73a4aa5351343050a591a53

C:\ProgramData\MUYDDIIS\FileGrabber\Desktop\TestShow.ini

MD5 5d9049a52c5ee3b8122070c5a3784fbf
SHA1 ef517827e47388ed96dc99883fc6a07589b0abfe
SHA256 d637223c2c1242a9cf121ce37114f5036e89696a8befe080da1317c01f4aa3d3
SHA512 e1c0917888d6c3aec6d3d85cafb72078d656f86f0aac4fcdc77ae86994fc1b6bdf4c577939cbc5fc28f62768b529dda6e46eadd47544768fe8b157ca79c73046

C:\ProgramData\MUYDDIIS\FileGrabber\Desktop\TraceRemove.pptx

MD5 5e4ed0843fd1634d061db898ce75a117
SHA1 8945024102fa7075fa8e562aa1e439f28f0c0cb8
SHA256 f868699b5f3d0a7d7e195f6c49ad69e7ea6b5cda21a21d40df2a1af6b3d7f156
SHA512 e1cfcc3aec9810ee0e976dafe258d247e1c5e82ce038ff43e2c0e9be4217d707cb76c61bcefb6d558edf64dfcde3e1fe4cd7e765893fc31cec225531aa64b26a

C:\ProgramData\MUYDDIIS\FileGrabber\Documents\CompressDeny.doc

MD5 3a0b3ec93a84a69d2bbf4d101c37f997
SHA1 26118f4e166eeadd877a05ac8e318072ad208b51
SHA256 93e53f8d5ac468355870b82422a4aae5c87f0c8137d31e69fc180943a81c9bc0
SHA512 2cf8508c408fb4ba4b8c764dd81dcf140d83f289ef0483a5d40c5505775aebbdf623eca74d385e0adfde6c70e85a4545268b289c420fb61a84ad3699b6220412

C:\ProgramData\MUYDDIIS\FileGrabber\Documents\OutSubmit.doc

MD5 9bcacd88d9eae06eb760d2bce743e16c
SHA1 b8cf766d8b2083f2da533df7dfeaace455526f3b
SHA256 1780ca831902fd789420240450bcb0ee448ff2db53670b04820baaed30bc444d
SHA512 b8e040265f898e8755e0afe524f654338f371f59811196b5d74d7b2b1bc3042c062a2fe17c27763e60d6c5bba6369256e815ad7929dd9dc83409d0a070b282ae

C:\ProgramData\MUYDDIIS\FileGrabber\Downloads\GroupHide.ini

MD5 a22902ff660be0d88bf91453590fc3f3
SHA1 ed4a71fb41587cb068ee706aabb88d2b84321401
SHA256 3dc4ac5e5f8525838f51c6c9126ac43d02df36c460cf163bac910084bc2479ed
SHA512 9cf6138c9176400e230b4258a993c4a4c7641b45195095e97c2603fde25dcef7550e6d91eb4f88d3de627cbf1ffa1e5a6caa1456a53f77afbe4652f81ef9fdee

C:\ProgramData\MUYDDIIS\FileGrabber\Downloads\PushSwitch.bmp

MD5 f50d1d3c27cab87c13a3bb32200562e4
SHA1 a7771739646433783fff37b1424554f2b2911b96
SHA256 3a387315ab3ff8e2fe2ad35bf6d5a03856a8eb2cc67244bb358f9d1469c5ac2f
SHA512 b1c6bc2f89b88f81ab2239c1c5fbcd5287131b239710394874d1515b2b1a1392c05a98988befcd13b481296b99c6aaa92ba036c758efcb34442c09313baa1f09

C:\ProgramData\MUYDDIIS\FileGrabber\Downloads\RequestPush.pptx

MD5 5ff972fbfbea2e47949a738eb4b3c87e
SHA1 12501b453b85a1fb625a8ee411f7ea4ca3c60b35
SHA256 a0bc04018ef19c8e3d92fc217bcb8b33d1658eae0dd796c51f584ca438706943
SHA512 0685e6a9425e53e6713649b5157d87d91151641a55197dd913e60dc26ae61c22172de57c17ac32eb6ce2879bb7ebb80ada483e974e1ed2185c4b6b7ab673c49f

C:\ProgramData\MUYDDIIS\FileGrabber\Downloads\SaveTrace.png

MD5 70eb14fbe1349884bf91e3fb13ad55de
SHA1 779f0a8633d2cdc491c9b3b510bdc9956872b744
SHA256 389034dfb1926b464f2ec0abe71e79f55919356db565d7d84d0763b8ee7bcd2e
SHA512 7418474e048d174b6b1a9ce565683d90c52511f0ec67a85df9b6cc7426c8597f166cc6ef940aab827990c982368036cc83d533dc2421067daa7b3f2f80a6e1d7

C:\ProgramData\MUYDDIIS\FileGrabber\Pictures\CheckpointRead.png

MD5 6062304de3add9dbcb65caa19ec7bcdd
SHA1 ef2d52896e3aac1596510a2a46d6ba2144efa7c9
SHA256 3b9c583bad97707e848cc639b481b426579432d7d11003fdc6c68b67bba60295
SHA512 6eb4d3ae816b6833c13be100bea54ee293e888a955234ecc19e2148ae398a546c82994ea7cc1c32af74a667fa19337fce610f7d8c0fc9aaeb1f5a687bdb11c84

C:\ProgramData\MUYDDIIS\FileGrabber\Pictures\CheckpointShow.png

MD5 d2663a1edf1d631f916ea240d8d83654
SHA1 58186a9ee455ebd713bff103606fdaeacf3ee609
SHA256 a99d3f53dbdae7db21da31458a01a19896ed09890c8a3e3d91e810b542c3f002
SHA512 d212aa5b9915b219fdea877cbc5ae9274ca43f7d9b45c09800b3042103492b96af78bdc214812814046c7effadf45f7a0e5a614ed3357885966ffb6f9738acc4

C:\ProgramData\MUYDDIIS\FileGrabber\Pictures\GrantSkip.bmp

MD5 e09c7e8e491ffd81737efb0ddfafccb2
SHA1 e6ed7c2767966989ef3baca3d123582073716b91
SHA256 e2c0b0370584279ee03e62abd9d665a78e9c6489db343c1d4b2014ff565782cf
SHA512 fd0aa7005fb12ddbbe57517268ff4a1cfc84a18222ac1a3f41c3d82aa0e0b3e63eb4fc9437be638b60865292ecd614e7be6f988504bc287de804f5fb38683f71