Malware Analysis Report

2025-01-03 06:16

Sample ID 241123-vr7bkavlfp
Target cnchecker4
SHA256 dc0ac276ec83d53e1c05b0f88a47515871f19df0686530258d6ce7184b0596c5
Tags
stormkitty asyncrat default discovery persistence privilege_escalation rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc0ac276ec83d53e1c05b0f88a47515871f19df0686530258d6ce7184b0596c5

Threat Level: Known bad

The file cnchecker4 was found to be: Known bad.

Malicious Activity Summary

stormkitty asyncrat default discovery persistence privilege_escalation rat spyware stealer

Asyncrat family

StormKitty payload

AsyncRat

StormKitty

Stormkitty family

Async RAT payload

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

Browser Information Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-23 17:14

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-23 17:14

Reported

2024-11-23 17:17

Platform

win7-20240903-en

Max time kernel

148s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\2afeaf79749025e29b4eab306b2c671f\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\2afeaf79749025e29b4eab306b2c671f\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\2afeaf79749025e29b4eab306b2c671f\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\2afeaf79749025e29b4eab306b2c671f\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\2afeaf79749025e29b4eab306b2c671f\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE
PID 2336 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE
PID 2336 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE
PID 2336 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE
PID 2336 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
PID 2336 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
PID 2336 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
PID 2336 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
PID 3036 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1704 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1704 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1704 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1704 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1704 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1704 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1704 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1704 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1704 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1704 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1704 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3036 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2256 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2256 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2256 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2256 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2256 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2256 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2256 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3036 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe

"C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe"

C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE

"C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE"

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 google.com udp

Files

\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE

MD5 4841f7e00c8757f9b0162e8cb09b03fc
SHA1 e248569e3de83d278e73f3dde2c02d90f85908f3
SHA256 8cb9d9efcc08a7ba56c8dffc34514e652da16e92d7c1c2338c71b1c0cce2184c
SHA512 e0f48c1ea950799c3dba1926132793fe0457bfd3772f60287a28453f84b0dd5b93c600e36d9e40974721acc856a37f835fd5ec0ad7933a63c4430ffdbfb089a1

\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

MD5 905d8f8b1d16ce5c63f6a806e1efeb98
SHA1 75c8c39c0bb5e48f53f1585a9cefa03a997dc680
SHA256 78dcc1bbf29a5d6e5cb57506f273d41e8629232bc733bb4126955f40f60f63f4
SHA512 f0c00f773909bc0b04e638196f902f314d75000e04ed7bc72b3d9b35c4278de3f18d7e02aaf85e70207860aa3d920d167c62e14bbdf9289481bcf516ebf87a5f

memory/3036-16-0x00000000749BE000-0x00000000749BF000-memory.dmp

memory/3036-17-0x0000000000A70000-0x0000000000AB0000-memory.dmp

memory/3036-18-0x00000000749B0000-0x000000007509E000-memory.dmp

C:\Users\Admin\AppData\Local\2afeaf79749025e29b4eab306b2c671f\Admin@JSMURNPT_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/3036-91-0x00000000749BE000-0x00000000749BF000-memory.dmp

memory/3036-92-0x00000000749B0000-0x000000007509E000-memory.dmp

C:\Users\Admin\AppData\Local\44ce74e1ef0c162eae7fce3fbf738c5a\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-23 17:14

Reported

2024-11-23 17:17

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\06ebb5b204e4f092eebc290fddc8d0c2\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\06ebb5b204e4f092eebc290fddc8d0c2\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\06ebb5b204e4f092eebc290fddc8d0c2\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\06ebb5b204e4f092eebc290fddc8d0c2\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\06ebb5b204e4f092eebc290fddc8d0c2\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\06ebb5b204e4f092eebc290fddc8d0c2\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\06ebb5b204e4f092eebc290fddc8d0c2\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\06ebb5b204e4f092eebc290fddc8d0c2\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE
PID 1328 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE
PID 1328 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
PID 1328 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
PID 1328 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
PID 2248 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 3724 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3724 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3724 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3724 wrote to memory of 3780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3724 wrote to memory of 3780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3724 wrote to memory of 3780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3724 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3724 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3724 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2248 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 620 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 620 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 620 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 620 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 620 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2248 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\schtasks.exe
PID 2248 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\schtasks.exe
PID 2248 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe

"C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe"

C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE

"C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE"

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"

Network

Country Destination Domain Proto
FI 65.108.127.103:4430 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 120.250.22.2.in-addr.arpa udp
US 8.8.8.8:53 103.127.108.65.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 217.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE

MD5 4841f7e00c8757f9b0162e8cb09b03fc
SHA1 e248569e3de83d278e73f3dde2c02d90f85908f3
SHA256 8cb9d9efcc08a7ba56c8dffc34514e652da16e92d7c1c2338c71b1c0cce2184c
SHA512 e0f48c1ea950799c3dba1926132793fe0457bfd3772f60287a28453f84b0dd5b93c600e36d9e40974721acc856a37f835fd5ec0ad7933a63c4430ffdbfb089a1

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

MD5 905d8f8b1d16ce5c63f6a806e1efeb98
SHA1 75c8c39c0bb5e48f53f1585a9cefa03a997dc680
SHA256 78dcc1bbf29a5d6e5cb57506f273d41e8629232bc733bb4126955f40f60f63f4
SHA512 f0c00f773909bc0b04e638196f902f314d75000e04ed7bc72b3d9b35c4278de3f18d7e02aaf85e70207860aa3d920d167c62e14bbdf9289481bcf516ebf87a5f

memory/2248-19-0x00000000740CE000-0x00000000740CF000-memory.dmp

memory/2248-20-0x00000000007A0000-0x00000000007E0000-memory.dmp

memory/2248-21-0x00000000058B0000-0x0000000005916000-memory.dmp

memory/2248-22-0x00000000067B0000-0x0000000006D54000-memory.dmp

memory/2248-23-0x00000000062A0000-0x0000000006332000-memory.dmp

C:\Users\Admin\AppData\Local\06ebb5b204e4f092eebc290fddc8d0c2\Admin@UTKBEBLO_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\06ebb5b204e4f092eebc290fddc8d0c2\Admin@UTKBEBLO_en-US\System\Process.txt

MD5 fb867ca3ab70446fe1287f357b054ce7
SHA1 5c5ae3f02bafc9da891ceb0b52c2049b5518d3df
SHA256 e3a087e0624570f8601bde6317b5b7d8cb36da40bad15ff9293452b49c90ba80
SHA512 445f27f04a02086682148d9970bba6272af4c2389c4d08473f266aa8d0a9d1823681b9fe32562f8dc0f6138236109acfe0c8aada4b533290c13c8c82674c86a0

memory/2248-173-0x0000000006710000-0x000000000671A000-memory.dmp

memory/2248-174-0x00000000740CE000-0x00000000740CF000-memory.dmp

C:\Users\Admin\AppData\Local\72bb288bac798342fbc8cedf20bc1502\msgid.dat

MD5 70efdf2ec9b086079795c442636b55fb
SHA1 0716d9708d321ffb6a00818614779e779925365c
SHA256 4523540f1504cd17100c4835e85b7eefd49911580f8efff0599a8f283be6b9e3
SHA512 dc2de67eb248dcdc50c63aabd1bca8335ad01106dd8ff720590077c161f558a7b61db3c56b3a32997597a3db98fd191c3e9e7fdf555aac1525f0b5342cac4088

memory/2248-180-0x0000000006DE0000-0x0000000006DF2000-memory.dmp

memory/2248-205-0x00000000080E0000-0x00000000080EA000-memory.dmp