Malware Analysis Report

2025-01-03 06:23

Sample ID 241123-vyqx6ayma1
Target cnchecker4
SHA256 dc0ac276ec83d53e1c05b0f88a47515871f19df0686530258d6ce7184b0596c5
Tags
stormkitty asyncrat default discovery persistence privilege_escalation rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc0ac276ec83d53e1c05b0f88a47515871f19df0686530258d6ce7184b0596c5

Threat Level: Known bad

The file cnchecker4 was found to be: Known bad.

Malicious Activity Summary

stormkitty asyncrat default discovery persistence privilege_escalation rat spyware stealer

AsyncRat

Stormkitty family

StormKitty payload

StormKitty

Asyncrat family

Async RAT payload

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Looks up geolocation information via web service

Drops desktop.ini file(s)

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

System Network Configuration Discovery: Wi-Fi Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-23 17:24

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-23 17:24

Reported

2024-11-23 17:26

Platform

win7-20241023-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\53a7b416d38cb048b27020ba4b5b723f\Admin@PJCSDMRP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\53a7b416d38cb048b27020ba4b5b723f\Admin@PJCSDMRP_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\53a7b416d38cb048b27020ba4b5b723f\Admin@PJCSDMRP_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\53a7b416d38cb048b27020ba4b5b723f\Admin@PJCSDMRP_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\53a7b416d38cb048b27020ba4b5b723f\Admin@PJCSDMRP_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\53a7b416d38cb048b27020ba4b5b723f\Admin@PJCSDMRP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\53a7b416d38cb048b27020ba4b5b723f\Admin@PJCSDMRP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\53a7b416d38cb048b27020ba4b5b723f\Admin@PJCSDMRP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE
PID 2656 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE
PID 2656 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE
PID 2656 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE
PID 2656 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
PID 2656 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
PID 2656 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
PID 2656 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
PID 2496 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1692 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1692 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1692 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1692 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1692 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1692 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1692 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2496 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1232 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1232 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1232 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1232 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1232 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2496 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\schtasks.exe
PID 2496 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\schtasks.exe
PID 2496 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\schtasks.exe
PID 2496 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe

"C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe"

C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE

"C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE"

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 google.com udp
N/A 127.0.0.1:7707 tcp

Files

\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE

MD5 4841f7e00c8757f9b0162e8cb09b03fc
SHA1 e248569e3de83d278e73f3dde2c02d90f85908f3
SHA256 8cb9d9efcc08a7ba56c8dffc34514e652da16e92d7c1c2338c71b1c0cce2184c
SHA512 e0f48c1ea950799c3dba1926132793fe0457bfd3772f60287a28453f84b0dd5b93c600e36d9e40974721acc856a37f835fd5ec0ad7933a63c4430ffdbfb089a1

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

MD5 905d8f8b1d16ce5c63f6a806e1efeb98
SHA1 75c8c39c0bb5e48f53f1585a9cefa03a997dc680
SHA256 78dcc1bbf29a5d6e5cb57506f273d41e8629232bc733bb4126955f40f60f63f4
SHA512 f0c00f773909bc0b04e638196f902f314d75000e04ed7bc72b3d9b35c4278de3f18d7e02aaf85e70207860aa3d920d167c62e14bbdf9289481bcf516ebf87a5f

memory/2496-16-0x00000000742EE000-0x00000000742EF000-memory.dmp

memory/2496-17-0x0000000000110000-0x0000000000150000-memory.dmp

memory/2496-18-0x00000000742E0000-0x00000000749CE000-memory.dmp

C:\Users\Admin\AppData\Local\53a7b416d38cb048b27020ba4b5b723f\Admin@PJCSDMRP_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2496-91-0x00000000742EE000-0x00000000742EF000-memory.dmp

memory/2496-92-0x00000000742E0000-0x00000000749CE000-memory.dmp

C:\Users\Admin\AppData\Local\df49abc42804860daf5ca8691ebbc4b8\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-23 17:24

Reported

2024-11-23 17:26

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\2b890aefcc9965968e99d0eec0859a1e\Admin@KBKWGEBK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\2b890aefcc9965968e99d0eec0859a1e\Admin@KBKWGEBK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\2b890aefcc9965968e99d0eec0859a1e\Admin@KBKWGEBK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\2b890aefcc9965968e99d0eec0859a1e\Admin@KBKWGEBK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\2b890aefcc9965968e99d0eec0859a1e\Admin@KBKWGEBK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\2b890aefcc9965968e99d0eec0859a1e\Admin@KBKWGEBK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\2b890aefcc9965968e99d0eec0859a1e\Admin@KBKWGEBK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
File created C:\Users\Admin\AppData\Local\2b890aefcc9965968e99d0eec0859a1e\Admin@KBKWGEBK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE
PID 1608 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE
PID 1608 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
PID 1608 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
PID 1608 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
PID 3416 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 560 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 560 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 560 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 560 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 560 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 560 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 560 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 560 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3416 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2020 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2020 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2020 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2020 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2020 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3416 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\schtasks.exe
PID 3416 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\schtasks.exe
PID 3416 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe

"C:\Users\Admin\AppData\Local\Temp\cnchecker4.exe"

C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE

"C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE"

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"

Network

Country Destination Domain Proto
FI 65.108.127.103:4430 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 120.250.22.2.in-addr.arpa udp
US 8.8.8.8:53 103.127.108.65.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\CNCHECKER3.EXE

MD5 4841f7e00c8757f9b0162e8cb09b03fc
SHA1 e248569e3de83d278e73f3dde2c02d90f85908f3
SHA256 8cb9d9efcc08a7ba56c8dffc34514e652da16e92d7c1c2338c71b1c0cce2184c
SHA512 e0f48c1ea950799c3dba1926132793fe0457bfd3772f60287a28453f84b0dd5b93c600e36d9e40974721acc856a37f835fd5ec0ad7933a63c4430ffdbfb089a1

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

MD5 905d8f8b1d16ce5c63f6a806e1efeb98
SHA1 75c8c39c0bb5e48f53f1585a9cefa03a997dc680
SHA256 78dcc1bbf29a5d6e5cb57506f273d41e8629232bc733bb4126955f40f60f63f4
SHA512 f0c00f773909bc0b04e638196f902f314d75000e04ed7bc72b3d9b35c4278de3f18d7e02aaf85e70207860aa3d920d167c62e14bbdf9289481bcf516ebf87a5f

memory/3416-18-0x00000000732FE000-0x00000000732FF000-memory.dmp

memory/3416-20-0x0000000000E90000-0x0000000000ED0000-memory.dmp

memory/3416-21-0x0000000005E70000-0x0000000005ED6000-memory.dmp

memory/3416-22-0x0000000006DB0000-0x0000000007354000-memory.dmp

memory/3416-23-0x0000000006800000-0x0000000006892000-memory.dmp

C:\Users\Admin\AppData\Local\2b890aefcc9965968e99d0eec0859a1e\Admin@KBKWGEBK_en-US\System\Process.txt

MD5 b1fd52c98d59edcf759b814da905d6cd
SHA1 ee931dbf27d543e62a0648d4f5e1dd7d7c288b20
SHA256 1974f6cda57ea28e1107559460baf543739154ed0f59423bea4060847fdee252
SHA512 c8f39b1d115f29f004ca489f8c2e4b06e95232c524efc3af8f1313b529edc8aa130cd88671b587295291301d5765d210002376480409769e8469efd71b2c3ae2

memory/3416-173-0x00000000732FE000-0x00000000732FF000-memory.dmp

memory/3416-176-0x0000000007370000-0x000000000737A000-memory.dmp

C:\Users\Admin\AppData\Local\5d245553762f91ebf93b56ca0abed3a8\msgid.dat

MD5 e2c420d928d4bf8ce0ff2ec19b371514
SHA1 d02560dd9d7db4467627745bd6701e809ffca6e3
SHA256 7f2253d7e228b22a08bda1f09c516f6fead81df6536eb02fa991a34bb38d9be8
SHA512 a8abec0b2fac3f9c8d08c0b2b06e75e591b67a5cba47cc0f0c66468f1db6b5ddb75461b57ea1e17f1eb90b62e6ca9e1cd2491e43829709288e1f1f592bcae1a1

memory/3416-182-0x0000000007D20000-0x0000000007D32000-memory.dmp

memory/3416-207-0x0000000008690000-0x000000000869A000-memory.dmp