Malware Analysis Report

2024-09-22 23:53

Sample ID 240418-lpb8zahd44
Target f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118
SHA256 181e46988f3f2140a1b6cd772050bd22cd966d919a03dd9023fa0d51e71629a5
Tags
stormkitty spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

181e46988f3f2140a1b6cd772050bd22cd966d919a03dd9023fa0d51e71629a5

Threat Level: Known bad

The file f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

stormkitty spyware stealer

StormKitty

StormKitty payload

Reads user/profile data of web browsers

Looks up external IP address via web service

Looks up geolocation information via web service

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies system certificate store

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-18 09:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 09:42

Reported

2024-04-18 09:44

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\b1f8aad4c48cb339feeab12db2c86e4d\Admin@IKJSPGIM_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\b1f8aad4c48cb339feeab12db2c86e4d\Admin@IKJSPGIM_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Local\b1f8aad4c48cb339feeab12db2c86e4d\Admin@IKJSPGIM_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\b1f8aad4c48cb339feeab12db2c86e4d\Admin@IKJSPGIM_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Local\b1f8aad4c48cb339feeab12db2c86e4d\Admin@IKJSPGIM_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Local\b1f8aad4c48cb339feeab12db2c86e4d\Admin@IKJSPGIM_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 1672 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 1672 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 1672 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 1672 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 1672 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 1672 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 1672 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 1672 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 2640 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2604 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2604 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2604 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2604 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2604 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2604 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2604 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2604 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2640 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2464 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2464 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2464 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2464 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2464 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2464 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2464 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2640 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2640 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2640 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2640 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 2496

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 23.14.90.73:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/1672-0-0x0000000000140000-0x0000000000174000-memory.dmp

memory/1672-1-0x0000000074100000-0x00000000747EE000-memory.dmp

memory/1672-2-0x00000000047B0000-0x00000000047F0000-memory.dmp

memory/1672-3-0x0000000000240000-0x0000000000254000-memory.dmp

memory/2640-4-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1672-6-0x0000000074100000-0x00000000747EE000-memory.dmp

memory/2640-7-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2640-9-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2640-10-0x0000000074080000-0x000000007476E000-memory.dmp

memory/2640-11-0x00000000058B0000-0x00000000058F0000-memory.dmp

memory/2640-80-0x00000000058B0000-0x00000000058F0000-memory.dmp

C:\Users\Admin\AppData\Local\b1f8aad4c48cb339feeab12db2c86e4d\Admin@IKJSPGIM_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\Temp\CabDED4.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarDFA6.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf207f988b677815c807554b908d4c40
SHA1 9a2a693f0250e1788809f96fa86f9301180d3876
SHA256 c611ac2af75d8bb66a4495bb41c3aa96b9620a135d29202e2dbb3cf66ff67890
SHA512 2a5f8a319c5a12906b365fa5fc127c598fd5fb62a1f57c12e66ed5a8c4801db5c9a4827ef082b924ad778bd0323b66ecfdc56180512f43d928a5ebdd3da0850d

C:\Users\Admin\AppData\Local\b1f8aad4c48cb339feeab12db2c86e4d\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2640-186-0x0000000074080000-0x000000007476E000-memory.dmp

memory/2640-187-0x00000000058B0000-0x00000000058F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-18 09:42

Reported

2024-04-18 09:44

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\432d6a01c19570cbe26fd20901a58a63\Admin@NCRNVAGW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Local\432d6a01c19570cbe26fd20901a58a63\Admin@NCRNVAGW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Local\432d6a01c19570cbe26fd20901a58a63\Admin@NCRNVAGW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Local\432d6a01c19570cbe26fd20901a58a63\Admin@NCRNVAGW_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Local\432d6a01c19570cbe26fd20901a58a63\Admin@NCRNVAGW_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Local\432d6a01c19570cbe26fd20901a58a63\Admin@NCRNVAGW_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 2920 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 2920 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 2920 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 2920 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 2920 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 2920 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 2920 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
PID 3588 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3800 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3800 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3800 wrote to memory of 3780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3800 wrote to memory of 3780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3800 wrote to memory of 3780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3800 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3800 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3800 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3588 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4660 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4660 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4660 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4660 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4660 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3588 -ip 3588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 1444

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/2920-0-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/2920-1-0x0000000000110000-0x0000000000144000-memory.dmp

memory/2920-2-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

memory/2920-3-0x0000000004AC0000-0x0000000004B36000-memory.dmp

memory/2920-4-0x0000000004A60000-0x0000000004A7E000-memory.dmp

memory/2920-5-0x0000000004A80000-0x0000000004A94000-memory.dmp

memory/3588-6-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe.log

MD5 3654bd2c6957761095206ffdf92b0cb9
SHA1 6f10f7b5867877de7629afcff644c265e79b4ad3
SHA256 c2a4be94cf4ed33d698d9838f4ffb47047da796e733ec11562463a1621212ab4
SHA512 e2a81248cca7732ce098088d5237897493fd3629e28d66bc13e5f9191f72cd52893f4a53905906af12d5c6de475738b6c7f6b718a32869e9ee0deb3a54672f79

memory/2920-9-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/3588-10-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/3588-11-0x00000000053F0000-0x0000000005456000-memory.dmp

memory/3588-12-0x00000000056F0000-0x0000000005700000-memory.dmp

C:\Users\Admin\AppData\Local\432d6a01c19570cbe26fd20901a58a63\Admin@NCRNVAGW_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/3588-71-0x00000000064A0000-0x0000000006532000-memory.dmp

memory/3588-73-0x0000000006EE0000-0x0000000007484000-memory.dmp

memory/3588-87-0x0000000074660000-0x0000000074E10000-memory.dmp