Malware Analysis Report

2025-01-03 06:15

Sample ID 241122-axqwjszrhx
Target Infected.exe
SHA256 7c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6
Tags
rat default asyncrat stealerium stormkitty collection discovery execution persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6

Threat Level: Known bad

The file Infected.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat stealerium stormkitty collection discovery execution persistence privilege_escalation spyware stealer

AsyncRat

Async RAT payload

Asyncrat family

StormKitty payload

StormKitty

Stormkitty family

Stealerium family

Stealerium

Async RAT payload

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Looks up geolocation information via web service

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

outlook_win_path

outlook_office_path

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 00:35

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 00:35

Reported

2024-11-22 00:53

Platform

win10v2004-20241007-en

Max time kernel

1050s

Max time network

1044s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Stealerium

stealer stealerium

Stealerium family

stealerium

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\windows.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\windows.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\windows.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\windows.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\users\admin\desktop\desktop.ini C:\Users\Admin\AppData\Roaming\windows.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\windows.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\windows.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\System32\cmd.exe
PID 1616 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\System32\cmd.exe
PID 1616 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\system32\cmd.exe
PID 1616 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\system32\cmd.exe
PID 4528 wrote to memory of 688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4528 wrote to memory of 688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 216 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 216 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 216 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 216 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 4080 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Windows\System32\cmd.exe
PID 4080 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Windows\System32\cmd.exe
PID 1784 wrote to memory of 392 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1784 wrote to memory of 392 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4080 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Windows\SYSTEM32\cmd.exe
PID 4080 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Windows\SYSTEM32\cmd.exe
PID 4188 wrote to memory of 4728 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4188 wrote to memory of 4728 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4188 wrote to memory of 2316 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4188 wrote to memory of 2316 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4188 wrote to memory of 3972 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4188 wrote to memory of 3972 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4080 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Windows\SYSTEM32\cmd.exe
PID 4080 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Windows\SYSTEM32\cmd.exe
PID 4316 wrote to memory of 3800 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4316 wrote to memory of 3800 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4316 wrote to memory of 4240 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4316 wrote to memory of 4240 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\windows.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\windows.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Infected.exe

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp89C1.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\windows.exe

"C:\Users\Admin\AppData\Roaming\windows.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\idgtuc.JPG"' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\idgtuc.JPG"'

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 forums-appliances.gl.at.ply.gg udp
US 147.185.221.24:1962 forums-appliances.gl.at.ply.gg tcp
US 8.8.8.8:53 24.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 147.185.221.24:1962 forums-appliances.gl.at.ply.gg tcp
US 147.185.221.24:1962 forums-appliances.gl.at.ply.gg tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 147.185.221.24:1962 forums-appliances.gl.at.ply.gg tcp
US 147.185.221.24:1962 forums-appliances.gl.at.ply.gg tcp
US 147.185.221.24:1962 forums-appliances.gl.at.ply.gg tcp
US 147.185.221.24:1962 forums-appliances.gl.at.ply.gg tcp
US 147.185.221.24:1962 forums-appliances.gl.at.ply.gg tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 147.185.221.24:1962 forums-appliances.gl.at.ply.gg tcp

Files

memory/1616-0-0x00007FFE394C3000-0x00007FFE394C5000-memory.dmp

memory/1616-1-0x0000000000570000-0x0000000000586000-memory.dmp

memory/1616-2-0x00007FFE394C0000-0x00007FFE39F81000-memory.dmp

memory/1616-7-0x00007FFE394C0000-0x00007FFE39F81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp89C1.tmp.bat

MD5 093c8584b9bab33c585dce7b1cd91775
SHA1 8ab42ba001cc93ba27b0bfb7bf90d9e8e32ace3b
SHA256 c151c09e3211f36582c9c0ba242b09aa9ecb638009533240151a85cb60443a41
SHA512 2b9df9ff27d6b4c47a6b8cb1b9fc81dd2c7dae534b30b2226c5a72ebb05407ed018d8e673e7cec79c73f8add5dd90cd757c45491687b983fad2ac58d328b092c

C:\Users\Admin\AppData\Roaming\windows.exe

MD5 9efaf6b98fdde9df4532d1236b60619f
SHA1 5d1414d09d54de16b04cd0cd05ccfc0692588fd1
SHA256 7c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6
SHA512 eabc2c58a7b2d636f13b149199f2dc943c4af3296c5a4605b72293294a449a2ea8da432238748ca2fb69fb944a31ac6fae7e5310cdc57609e5955f62b71e812d

memory/4080-14-0x000000001DD50000-0x000000001DDC6000-memory.dmp

memory/4080-15-0x0000000002DD0000-0x0000000002E02000-memory.dmp

memory/4080-16-0x000000001BD90000-0x000000001BDAE000-memory.dmp

memory/4080-17-0x0000000020D90000-0x0000000020DC4000-memory.dmp

memory/4080-18-0x000000001D6D0000-0x000000001D73A000-memory.dmp

memory/4080-19-0x000000001D740000-0x000000001D764000-memory.dmp

memory/4080-20-0x0000000022140000-0x0000000022172000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rdsfy41b.tah.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/392-22-0x00000179485C0000-0x00000179485E2000-memory.dmp

memory/4080-34-0x0000000021460000-0x0000000021582000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6CC8.tmp.dat

MD5 2ba42ee03f1c6909ca8a6575bd08257a
SHA1 88b18450a4d9cc88e5f27c8d11c0323f475d1ae6
SHA256 a14fb57193e6930fa9e410d9c55dfe98e3ae5e69b22356e621edc73683a581bd
SHA512 a1f32c22f0d78cba95c04c432e2a58ea47fb34942e70bfdceffcc2ac1e91b87a3da2cd9f93793427ee09a623c7da700e1c16977d41a44286317e8fc20502f035

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 6567b8bf6394c215fc0164bdb6be9d49
SHA1 361068a8dbe48dd3f79de190a1fa507768970d5e
SHA256 5f5f264f10158983fa4ffabe7ee45293176979610d00594d19dccff33cd6f152
SHA512 0d2ae07e2b3f31e4cb9cfade4c7ea764d8f0da6042d3c09892720f8339ee32367cf566d9b8484b5adb7fe36d6ecca5d5d8d3c0418f5bcc45f6c437e54f6bd898

C:\Users\Admin\AppData\Local\Temp\tmp6D40.tmp.dat

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Local\Temp\tmp6D3F.tmp.dat

MD5 56ad94fbf3c26aedcf4dd458ee76ff12
SHA1 635d186359ac1cc5619cc1f0b70e873b92475882
SHA256 5d70a64bf679727c7efc1918ba8c4ceb216a685a8135917d69c239080ffb7419
SHA512 85775fb01ef86d80d4850db063a2b8ddc0aa52c319d7c45ff78cc9e8b6318f210ea125e4b09b9559c22109049207846e1f4d035721929f608f0c48f83de7869c

C:\Users\Admin\AppData\Local\Temp\tmp6D3E.tmp.dat

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\tmp6D70.tmp.dat

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

memory/4080-154-0x000000001DAD0000-0x000000001DC58000-memory.dmp

memory/4080-159-0x000000001DC60000-0x000000001DC6A000-memory.dmp

C:\Users\Admin\AppData\Local\c917b216abaf569d685c45bec60a2182\Admin@ZTSLLRFH_en-US\System\Process.txt

MD5 14da8005e9d387a6448a569c2de8e176
SHA1 afc0660db65c6ffcf6e8ce64fde12646205da2b5
SHA256 8499a6b47be4b6efe6cd3f6b597f3edd9681429b4d07aeadec1a7a1d7af47ec4
SHA512 0c4ed900080773cc998864d6d3d1840876a9211b8e7dc259e007a75baf143c51476fac2b0cc36517b7a297665973beb1c9c574bcd5b6df3f4bb58ef74f0fb7ff

memory/4080-302-0x000000001BEE0000-0x000000001BF5A000-memory.dmp