Malware Analysis Report

2025-01-03 06:45

Sample ID 230823-xqq93agd6w
Target r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.bin
SHA256 af5eb7b86d17c4a4df7aadc1c391c015e5d95e4fca69a7ab223582f07f0002d1
Tags
stormkitty stealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af5eb7b86d17c4a4df7aadc1c391c015e5d95e4fca69a7ab223582f07f0002d1

Threat Level: Known bad

The file r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.bin was found to be: Known bad.

Malicious Activity Summary

stormkitty stealer spyware

StormKitty payload

StormKitty

Stormkitty family

Downloads MZ/PE file

Deletes itself

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-23 19:03

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-23 19:03

Reported

2023-08-23 19:06

Platform

win7-20230712-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe

"C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA248.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA248.tmp.bat

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\taskkill.exe

TaskKill /F /IM 2216

C:\Windows\system32\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2216-0-0x00000000001D0000-0x00000000001F4000-memory.dmp

memory/2216-1-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

memory/2216-2-0x000000001BDC0000-0x000000001BE40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll

MD5 6d1c62ec1c2ef722f49b2d8dd4a4df16
SHA1 1bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA256 00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512 c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

C:\Users\Admin\AppData\Local\Temp\tmpA248.tmp.bat

MD5 98e7746c5e64560e90d969fbb91d3701
SHA1 ab9eecc76ca08b0e77fc5452df1f3388ec9233fe
SHA256 e86cd78559704ac8df4a2ae95e71a0a32351fcabc756ba55c6676c763b097af1
SHA512 f977a908953e119575e72cfec6e56cb636697e86ef39b25358c392016e08bd2e2fbf6b53de0dd87f901ca95032b81f9dd6d6e1e5808b4380f13369027e538122

memory/2216-10-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-23 19:03

Reported

2023-08-23 19:06

Platform

win10v2004-20230703-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
File created C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
File created C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
File created C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
File created C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
File created C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe C:\Windows\SYSTEM32\cmd.exe
PID 1272 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe C:\Windows\SYSTEM32\cmd.exe
PID 2764 wrote to memory of 3668 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2764 wrote to memory of 3668 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2764 wrote to memory of 1200 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 1200 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 3984 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2764 wrote to memory of 3984 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 1272 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe C:\Windows\SYSTEM32\cmd.exe
PID 1272 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe C:\Windows\SYSTEM32\cmd.exe
PID 2784 wrote to memory of 3812 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2784 wrote to memory of 3812 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2784 wrote to memory of 2888 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2784 wrote to memory of 2888 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1272 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe C:\Windows\System32\cmd.exe
PID 1272 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe C:\Windows\System32\cmd.exe
PID 1884 wrote to memory of 2008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1884 wrote to memory of 2008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1884 wrote to memory of 3408 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1884 wrote to memory of 3408 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1884 wrote to memory of 4368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1884 wrote to memory of 4368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe

"C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpFB64.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpFB64.tmp.bat

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\taskkill.exe

TaskKill /F /IM 1272

C:\Windows\system32\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/1272-0-0x00000286B8890000-0x00000286B88B4000-memory.dmp

memory/1272-1-0x00007FF8E4800000-0x00007FF8E52C1000-memory.dmp

memory/1272-2-0x00000286D2F60000-0x00000286D2F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll

MD5 6d1c62ec1c2ef722f49b2d8dd4a4df16
SHA1 1bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA256 00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512 c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\System\Process.txt

MD5 2414383b508edc36839671b29684fc43
SHA1 c5b4661823a11c1033bd2de13a48a913902d125b
SHA256 8223e66e8aa0bbad3342e91c85f1be53b3551c0c35400d7900250235143b0401
SHA512 eca2cfd836aa002ab8ff144be77bed1f84ebe004e4b9a81d34eb304e0193a68a8e2a8f15a887e058037ea59af28fe5da94a45aff7127652397a2c6f6e5f1a904

C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\System\Process.txt

MD5 40738b04c25f28f281c4502cdef26ffa
SHA1 6ed9e8dc49740f76b8dac2a60bee141df6d0cf05
SHA256 5879450deaeaa95ee6fcee0b49c14bb08221ef72c7e21ff06a8f472ab8d4150c
SHA512 ba95937817b61880cabedb9d338a90f1ff4ddc353b6f09d97a71963c3292d03465bb0d76749d7ca202d7a811105c0fe79c928ac44592412759949e55269c263b

C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Browsers\InternetExplorer\Passwords.txt

MD5 a70c01a301af5922c13cd6fbaa6606c1
SHA1 c994d604d4bbc15c661e5165e8cd240879d60083
SHA256 d6831857c1ccceeb608c0ef58eafc352f57c35d1f7fde7583f7c059a3472d6e2
SHA512 721c1e572de47962c52a0bae9fa0a05ccb1f5c1e3a877efc7307f8c71427191c4bfa14284427d219630b217c629e5bc1482c1ed09b35dbd2956fdc0b42732a5a

C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\System\Process.txt

MD5 0820d74a728c233c20ba3868d65860c4
SHA1 3f7e9e2fb5bd5e4229c1ca87e09e9791af0fcd77
SHA256 b4a6ed02b11a55527e4eda090c13f239d5f9a1c2c39ac456e00a0fa77a6267bd
SHA512 ce266616a54a9f7056274a15ccacd3ca094b3b607913b315386739415a909e218ece65f7ea374103ceab20a185e9c5366f967bb40eb2fcd95541e6a16ad5a94d

C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\System\Process.txt

MD5 7422f9c28bfa002aff52d88dd8610038
SHA1 57256766220f7f3d7b4af477074059bea1a59cea
SHA256 6294ffabadff13a9da0a0dddec14dee4539ac41b6233b99a19b6b53301ad2fd0
SHA512 cd2e632cebac47222bfa1a1cdf071a25343c347be43ee35649b3a03877b67a511f0e98b2c61f1d6c18fbd1fa33182af260e643e0bb0ed3db9bbc71f8b8e55401

C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\System\Process.txt

MD5 f6cf98cd8b76fd6f7b6da835b84a867b
SHA1 019f4c760f757b159afc00e7f717a14c90ee1ab2
SHA256 337ce7687d61ccf0f583bd79cb866c1b819a433cc69700871074f943c7eb9a1a
SHA512 a52cd9648c9bb1319743c23a47c71273080a2f527ef80cb6e693d4f550e4ffb548faeb13c8d69113612a2164b9bef4866b24f3a48d0461fcf158b3afd18ac871

memory/1272-158-0x00007FF8E4800000-0x00007FF8E52C1000-memory.dmp

memory/1272-159-0x00000286D2F60000-0x00000286D2F70000-memory.dmp

memory/1272-161-0x00000286D47E0000-0x00000286D4856000-memory.dmp

memory/1272-162-0x00000286D2F60000-0x00000286D2F70000-memory.dmp

C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

memory/1272-256-0x00000286D2F60000-0x00000286D2F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFB64.tmp.bat

MD5 60d560f9ffdbd40f0a5e8e879b66a58f
SHA1 258676d68655dd279def7aeadee1a41701010226
SHA256 1dfc4655c4b09d5bc6125009bb3f71ac83a11bcfc68b9f86a773d0531cc2b886
SHA512 948ea2c5e98d359028bb9cf4d7ac957b56a5584e1006d8754dac2e8402c331a7b83b81e7d75206462a6f9729bfa6b96e03a880aeb42b22232347e1aab58e34c2

memory/1272-258-0x00007FF8E4800000-0x00007FF8E52C1000-memory.dmp