Malware Analysis Report

2024-09-23 02:58

Sample ID 240702-bjg7xs1cpb
Target ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58
SHA256 ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58
Tags
stormkitty persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58

Threat Level: Known bad

The file ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58 was found to be: Known bad.

Malicious Activity Summary

stormkitty persistence privilege_escalation spyware stealer

StormKitty payload

Stormkitty family

StormKitty

Reads user/profile data of web browsers

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-02 01:10

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 01:10

Reported

2024-07-02 01:12

Platform

win7-20231129-en

Max time kernel

118s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe C:\Windows\system32\cmd.exe
PID 2468 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2468 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2468 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2468 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2468 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2468 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2468 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2468 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2468 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2344 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe C:\Windows\system32\cmd.exe
PID 1516 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1516 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1516 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1516 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1516 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1516 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe

"C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\system32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
NL 104.97.14.210:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp

Files

memory/2344-0-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp

memory/2344-1-0x00000000000C0000-0x0000000000100000-memory.dmp

memory/2344-2-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

C:\Users\Admin\AppData\Local\4e4194bf792b11fcee1c8b62e46231db\Admin@SCFGBRBT_en-US\System\Process.txt

MD5 49d5468d6911ae063af03e934dabeb09
SHA1 7ff9ca74df83368c2952aef8e11569707bfb244a
SHA256 b1f4a1cfa116725b97eda7eed12e03cdc18d84ec6379ad214d8ac4bba93eddca
SHA512 4dddc1fee58b2c0ccd27b5ccc1022d6d72bb9df6810bb28ccb31f1b0cea80eb13951bb6419bea099b5d481ba9556438fcfffe47783f22fb81e72c62c371b68cd

C:\Users\Admin\AppData\Local\4e4194bf792b11fcee1c8b62e46231db\Admin@SCFGBRBT_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2344-73-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

C:\Users\Admin\AppData\Local\4e4194bf792b11fcee1c8b62e46231db\Admin@SCFGBRBT_en-US\System\Apps.txt

MD5 41cd827edadbcf3f676580c580c1dc03
SHA1 4e99509e7dc0b1ed6cc5306241b58b2ccbc8948b
SHA256 1d270899f548088968bebea9d32c8c0f23dfe59ff6e61ccc3b38d995cf001389
SHA512 087c36e68cfd5bc6898859a194ef1b63156bff6b5cd59f872dd6d48e281b558f2d7aa46a934c4da902315b361bee8cbe1b993525b4f5783e455944a55da89d0b

C:\Users\Admin\AppData\Local\Temp\StormKitty-Latest.log

MD5 4a99b64c01ed0b6a4b0f64baeb104369
SHA1 ecd2703b41781d3247c6bfe2e9317d669c1c9bbf
SHA256 5fdf704d0a3eab008cef143c64fdb8934ba1e9f6a5251c961bd3705ccfc36757
SHA512 d7d6e47288c61cf39130e41a0867277999ee67d28d61b4c45cb707f3b53cfb2ef069d86f04d3f7228665a2ba295044693d5b0f44baa7f7322787389cee48727b

memory/2344-153-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp

memory/2344-154-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/2344-155-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 01:10

Reported

2024-07-02 01:12

Platform

win10v2004-20240611-en

Max time kernel

136s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4276 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe C:\Windows\SYSTEM32\cmd.exe
PID 4276 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe C:\Windows\SYSTEM32\cmd.exe
PID 3128 wrote to memory of 4612 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 3128 wrote to memory of 4612 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 3128 wrote to memory of 4596 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 3128 wrote to memory of 4596 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 3128 wrote to memory of 4156 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 3128 wrote to memory of 4156 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4276 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe C:\Windows\SYSTEM32\cmd.exe
PID 4276 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe C:\Windows\SYSTEM32\cmd.exe
PID 1352 wrote to memory of 3316 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1352 wrote to memory of 3316 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1352 wrote to memory of 436 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1352 wrote to memory of 436 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe

"C:\Users\Admin\AppData\Local\Temp\ad8efa26c7c870b002d627f88fd1f22c2d398e87f2a6104d368953385530ae58.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
DE 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4276-0-0x00000243AC7B0000-0x00000243AC7F0000-memory.dmp

memory/4276-1-0x00007FF8C7A13000-0x00007FF8C7A15000-memory.dmp

memory/4276-2-0x00007FF8C7A10000-0x00007FF8C84D1000-memory.dmp

C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Process.txt

MD5 243583fa23f51a2ef931ca1682a9db66
SHA1 14c026c80265374c25268e33ad84b455c1ec4c17
SHA256 45eba89b49ededf45c6f43a2fcf67cd42c0429341af7c87d7ed2ae4730d7427a
SHA512 67b94d14b2c9f350591a9ee743dbc4671cef338997152244d50cc29fc0afa5684ae88d37556e941aea0b9415061094708a92fbefd9a98252294b2cd8197defe8

C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Process.txt

MD5 3749c742b303ae4df9cbb7e53e0b49a1
SHA1 f63e269607e7f3534df265dce2c86da6e9af137d
SHA256 bd6b654f2d308142b614b7c4666763c732f8b33a41a6e145ef377b3477c6817e
SHA512 2e0cf34650abcf3d7c542de14fd4f55680578de8222614281e6b9c1dd9726c7fda24467b4f4e167d9e8e504bf507cf5db9e41de2da78d5bb25d3b0f484a400ba

C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Process.txt

MD5 8178698a4fe7094024ae81071c8710f6
SHA1 4f2b16d9c22f117d4627627f61ebaa0b57f2c3f8
SHA256 c71574177c1e036627590325d6c5b0dcd9d664badbf54469e74e1a97b75eb07d
SHA512 43c63121dd4465fd8cc74661b1d96cce3cc65135924aae3a523f2e3c3bd2e09eaa3568e02aba51cb686b9dfc24bfa84d0805b1b3e6b562d1879bb51856d10698

C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Process.txt

MD5 b7cb32d9d4141c2d3b67eeeac03c6382
SHA1 fe35612e2948d87c56330ac5b8fa4727ee135a8b
SHA256 7c3020f6713ec1e89fb19fece424108361012bc9fa1e4eca95849e39b04e53b3
SHA512 3df787941bc78fa4636b9ffd74e4790bd6b7334802bbacb86b95ddeb0700b87687f3b6f66b07d4b462929a8b3191e863dc01382d1c18e8484f442539cbc79ad5

C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Process.txt

MD5 0773273db68558d21f5bd0ff0c3771a3
SHA1 680b009a35745a9efcecfd535316fb8c1c64e159
SHA256 fdce76c850ec081b1bed996e20f540f8534ceeba0e1ca987be0be3a3b9a48f77
SHA512 651d90e975610522ee1034a22453e2ee902dca68e3796dd61d344e8574d945795d7bb22c080fde8a9ef1ce166e00e0ba9f3ee73ec116683cd5f293cfff8fc981

C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Process.txt

MD5 03a4d9d7e66d1a3f16c307a708896b2a
SHA1 ad0b59c8e9138b5a658c93130ae6b2be8490fb53
SHA256 60ac48f811a537aab7f0c5d7465f8bb8664158627104797887cd840f05fc3509
SHA512 063a4edf61a4d48a6ef387a2ce1d460bfcb142661ebf3f9ea97d73db5c15ae10466bdcdb96f35d4952931d0b171992017f2c8a982bbdcc67cb392b8a5383a5ff

C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Apps.txt

MD5 c0b8f9d397a62c492089d0913a138476
SHA1 dd41932ecda410510ab37d5ed7b633be8bbfef90
SHA256 1727d9e8a9397c8c8a542220f42260a7d97fe01d0de100e88cb0749e2a5f3467
SHA512 3096905c344beeb5d76ff6284ec20a00935fdda8378149760ea3f90b386acdf8e145580f6120e484c1fe853989c10bf67c95e39a9260aba03bfb36904a0f643c

C:\Users\Admin\AppData\Local\ccaf68d1870cca323ba1986e7d71e9a5\Admin@PKVHMXKI_en-US\System\Apps.txt

MD5 2e0726a4d0f38a48e1469e4879120db9
SHA1 a7e6368993cc6ddc27199c94362372887c73f1dc
SHA256 aa79767f15d3dff6a5de5f13127511613ff02eb642c12c2e676a73b8e62e4e98
SHA512 c477a33ba1e8817a4fa126f6d6a47d04d800c2a263187101f7715507ed7725dd1edf790d3ee3fbf07ba2ee03c496dbc95f6cfafb09401179f392cc19f9d0e3cc

C:\Users\Admin\AppData\Local\Temp\StormKitty-Latest.log

MD5 10f854ff6b32f7a31c7fe863796d18e5
SHA1 95c2b60956fc1b3eddde4f2e33f354594c67efc0
SHA256 1c9a2bda9cadc8246cf02a3926fdd7e29a361e47d9278294ede65682e58a6c17
SHA512 df371b27f80235c4bffdbadafe6a2a66bc57a1831f5bf38aa30c77fbf65902871e687799e540508c605d50a72063f4622c253c15921db29c84e54b9d8156d5e2

memory/4276-231-0x00007FF8C7A13000-0x00007FF8C7A15000-memory.dmp

memory/4276-232-0x00007FF8C7A10000-0x00007FF8C84D1000-memory.dmp