Malware Analysis Report

2024-09-23 02:53

Sample ID 240707-fqt8aawhpb
Target 86108d3bcc19fe774cc81b71494d31f9.exe
SHA256 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
Tags
stormkitty collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b

Threat Level: Known bad

The file 86108d3bcc19fe774cc81b71494d31f9.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty collection discovery spyware stealer

StormKitty payload

StormKitty

Stormkitty family

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

Drops desktop.ini file(s)

Unsigned PE

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-07 05:05

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-07 05:05

Reported

2024-07-07 05:07

Platform

win7-20240705-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
File created C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
File created C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
File created C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe

"C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 freegeoip.app udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 104.21.73.97:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 ipbase.com udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 172.67.209.71:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.26.13.205:443 api.ipify.org tcp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2748-0-0x000000007417E000-0x000000007417F000-memory.dmp

memory/2748-1-0x0000000000F30000-0x0000000000F86000-memory.dmp

memory/2748-2-0x0000000074170000-0x000000007485E000-memory.dmp

C:\Users\Admin\AppData\Local\FCNAHWEI\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Desktop\TestShow.bmp

MD5 6be6610c2b3065ae49bcd766f9e13833
SHA1 e3f7db2f769430bd9f2c282b884aebb3db3894e5
SHA256 3e94c6e63b99b0f468ed5778765af77acd28dd584ba2ff89724d8fbaaaebb2f4
SHA512 7efdd397ac5deeef0a4f761ac87442b95235b341fab857361ad123cee9b4d20f1d15861172af12bf81281409f559a3e8a82c343eddd219513080e67e55a8efdb

C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Desktop\UnblockOut.xls

MD5 665ecc65adb090ed7a4fada2696d595f
SHA1 5e9e27ee97bdc85ac30798246fe149a938cb8b7c
SHA256 02e5170e87c17f52097dd0ee294fba77a6eb45ceade798c816c6492ca5b275b7
SHA512 ea7fd4d5a521e700794af23836e54e27b509d2507a62a8a69100849f22fbdb721236cab9b3db1a7e741d374a18387e886f25a71636be98bb59e8a46fac678522

C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Documents\ClearConvertFrom.docx

MD5 83325a5e5d76bf554820f170c64cd527
SHA1 408f30991bf57c6d0bfb7e3cb0ee41138cee9b74
SHA256 a6bfea2ac7491afbad243dadbde85f98ad03d3f460bc450141efeb9e06ecacde
SHA512 0fb5ee545989e6798b37b56245f2b4ce3c9f93cb85ed945a7eaa8897df3733af86f290a7d6aea0b30095cdfff70f35dfdaa74fc1e5f8fb939c6ab2c1bd847b84

C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Documents\CompareStop.rtf

MD5 d1e04cb86911850f936adcb5fcd75857
SHA1 a05f5e81abf956fa7005142dc0a57bca6801875c
SHA256 5d5cb63b3a5f7a1694096c702cca596247f58d6b4e26234ed279d291bda82b9f
SHA512 3809caaaf839e346b7cf5f3eda9f87c36ae857ec41782e8ce7aed1cecb757695ed6ae71764b3e247eae610606aba087edab63e203f5c9abe590c17c62d010a38

C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Documents\MountSearch.doc

MD5 af367a052c106e968e1edad46a802c4b
SHA1 04f3958a69405c0ff3ee38ab3835149a27fd057e
SHA256 e85d963321ce1affafd1dc3aad3a7652acd9fb2b6835411874784b3d1256f0a0
SHA512 3a6088686641bb81eda3325ddb8fd2315e3b0a8a70d50e9d6868b24f2300edd825d5add4c5112e535a39c9d575a4d4f445993a7b094923ed389cb175c5673fcd

C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Downloads\LimitEdit.rtf

MD5 a710a7003cbdf2cce9e909c36ca9fab9
SHA1 4ec72ad90c14da10524548613fd9cf190cf0a235
SHA256 493e12a1f3475fa09848ecdaf515c067a24ed4ba2da10d7a13da501dc9e1db77
SHA512 cea0451c62fb8a9099dd4578067758bf6de2d1123e2b4a7c6d5ea781a8fe80f1d91739919899d5efd7040154d04079560292b6c5e54bd64470e3c9cb9961515b

C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Downloads\TraceSubmit.docx

MD5 33326076131619648edf0ab377887ff0
SHA1 52c7b748a8cfe611e50863b16f21a9e874d7d018
SHA256 836ecb1e1c0def49d08aab15322cc19c1a4ee09d8238d983db942833600d0bb4
SHA512 61f53757b12e38a1070f241206b8003a346d963f0fa2df0d03edbc81c4dcdbbf6c53721d2a5fa3b33595e8d9950a759e93123fddf302e6691543c0d178e38a51

C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Pictures\ConvertToMount.bmp

MD5 aab529f552f3ed521ec390061994e188
SHA1 ffab5ced3140dba286387d4564fabdab3ad9e2ca
SHA256 0bd704fbc48e625d2500c990a10f8015dbbb2620b560ae3106a0c4b8f4492ec9
SHA512 a5e68bf67a9ba1b7ad6957e25bd82a9ff1fec6166f8f5c2c054204f6878d59c00f5d29bea00774e4269db8670056988b42daa93216f6705a58fa1ebaaa51a8dc

C:\Users\Admin\AppData\Local\FCNAHWEI\FileGrabber\Pictures\ExitReceive.png

MD5 0913f640d2c9a5ba6731f425d28803b0
SHA1 b2e41bed1d17709e2ddb4bf0fcf9ddc96b4a517f
SHA256 6d063400fdb236570f2f4a154fd11808c9dfde6fae9bb5e3887caa4a478cf86b
SHA512 fdd6454e440c018538764d4aefa137f6236489c4238adba63399a815fe3dd0a3f0985b0f888fcdec2e751a11455f8790d0100129ad0c74e66062fec8697b2131

memory/2748-176-0x0000000074170000-0x000000007485E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-07 05:05

Reported

2024-07-07 05:07

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
File created C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
File created C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe

"C:\Users\Admin\AppData\Local\Temp\86108d3bcc19fe774cc81b71494d31f9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 104.21.73.97:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 71.209.67.172.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3276-0-0x000000007450E000-0x000000007450F000-memory.dmp

memory/3276-1-0x0000000000890000-0x00000000008E6000-memory.dmp

memory/3276-2-0x0000000074500000-0x0000000074CB0000-memory.dmp

memory/3276-31-0x0000000006740000-0x00000000067D2000-memory.dmp

memory/3276-37-0x0000000006D90000-0x0000000007334000-memory.dmp

memory/3276-39-0x0000000006BD0000-0x0000000006C36000-memory.dmp

C:\Users\Admin\AppData\Local\KGOEYKGQ\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\KGOEYKGQ\Process.txt

MD5 42bc4fa843ff9aed2696d12f15303dc7
SHA1 5b64485807c233a9382341b2f32edf50cf9c9f28
SHA256 5f099a5b5f773783c9ddb7aa810e0ab96c5872ff5d439652bd81926412926d2e
SHA512 e86317df7be076bccfb852ef58c9281ed35b61000b5208f4ccabc4f4abd353846be44f3c1e32477408eac59b70246f5172157d206a7c273e1670660b5a6cec01

C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Desktop\CompressApprove.css

MD5 30b161b4a22a4402c370e1ac56da0a1f
SHA1 8491b8d0dea4caef03526a3b2c9dce54f81fcc3c
SHA256 34c98848d2275b7e4db2638ae8570b6680a256b6c99ad0958dba67c8b620d61b
SHA512 9cad69a1d8eff490eaf9daf63c96394ecc4801c274aa8167e3d3669b98be5143c091bc139b1f8c5589a3383577628531d8f1502f0ae7752fa07544a3908ddcdf

C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Desktop\ConnectMount.rtf

MD5 921e49776bc45da8d1aa5aa21ed0683a
SHA1 09174473a649588fb9d790a26377b6e2bc47d27a
SHA256 388f63191373a829110adf804439976a0882ad00aee1894e385cd2262c228bea
SHA512 779b91b0b1e8d7c72307e503faafe46ac1a3f38bfecc4e97ea38a663695557b011dc14a1c7d7c803382c25591fa66beba2ee4cf9708b587ae77d3010cc18bf5f

C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Desktop\LimitPublish.xls

MD5 e69eb6e935e2cafa54db42b833e340e6
SHA1 20731b56371d2aeaa08d984159abaa0caf1cbe23
SHA256 f5d9a575efda59e8cad109df6890d3cbd51d4ac7d7790a35c44d315687cb4315
SHA512 b72375c0b6c6103f20261e6214ee8583ca5cf58370294a499eef01d097b6294368e2e78b5ada7d16992dd5af45ea719053cddd14aec41ee35a46af8aa18f20cf

C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Desktop\OptimizeConvertTo.html

MD5 2b3dba08583f739a24d2c87606d5c744
SHA1 7745fa9de46645a2c65c081676992a96ebb7948b
SHA256 a8e9b4106a4c14e7897fb5ff49393a4debce4eb9cbf3f796d3f703be9994729f
SHA512 4d866e1bf9beb4943a5f417aa6aa1a6ec96e959ed9ff879b5a95186567d892a76e6bc933194dbed38d5712cb9afbd9c5c1a7bd84ccbfedaf7cd2e3cc712ac737

C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Documents\BackupPush.xls

MD5 f7c1020e9db201f8e143ceb3f96debcb
SHA1 1fdda7650df9a5c2524528aea5086a4f058edb20
SHA256 0abd25d6e25bd32cff360b799316ad8a5d04ed9b5cf66039ea668d0d9aeaff3b
SHA512 88abdd9dafe9d616f0fd50f14c2e8852feb3f582de69f55429cc4929742d309ce5929e619c83e59aaea2641179bddd76359efad24577f9b32c79aa4c7daa9028

C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Documents\BlockUpdate.doc

MD5 b4ace3609004fbf1f87240ae922fadc3
SHA1 211160dc5d51af4cb0c6ed543e185b8a4d582541
SHA256 4f9a2f0519d9c603c2406a944e39071417dd9259650a3dd0f3dc7af7b5b8b99b
SHA512 e57e6503560f63bfef708245e407d8b1d90248a3936e6070f6fcbb58e5355e70c0ede4175dc1f5316184c6818d2fb3dbedfed2627ce75be5d1618ff294054bd6

C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Downloads\GetEdit.css

MD5 1273399b253f007dbbc3a190d089d977
SHA1 90a18a3492cc446254bb866b38dec7db84075554
SHA256 e2885ada3eb0d6949afa0b200b240bf8ea12dc61927d58bd3901e96c661d8b06
SHA512 aafcfbef5c38ac716da74129dcd8a6c1b1909344a4dc9c6a82909dcd2802f238cc70296e88146c450bc7ffebbff668d6d3f3e2d5a097b1201804c8428a843fe7

C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Downloads\InvokeShow.rtf

MD5 d13f94d94e24135b7adf6187313e2448
SHA1 3db291e644f280302cc418b0b90a63e62541c826
SHA256 0bf8b1e3602df90dab60976c096987b1fd51aa08a74c964210feaac0528fe701
SHA512 540580edb9f7e82ed535c1305feaba9c0919d04d1011c68ff672224cbcbedefc639bc57ee19abe5fcc209d53a883bccafa4a86d6009ac051c32f061cfe7ea6da

C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Downloads\JoinSplit.png

MD5 5feb86927fdda664331da647f7a8f414
SHA1 a0f870af12d45819541a336d3b5c2f8637f6ddec
SHA256 e4b1da17322f245126c4a940affc0bb910a8cfa75c7259b2584bbe769bb06208
SHA512 ae4ad430859595f16bce16af5c6554d57e8492aea55de8a331ab3d07865fa8b8bbf5d175e04e5f1b67de8d65fbe53abe9ec2912a9276a2e3f77bfc616c8b16cf

C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Downloads\ResizeHide.pptx

MD5 ce4f4b17d1e4c053459effaeeca9a9ff
SHA1 96fb7eb60a8443efc749467c504abd00c9e95ed9
SHA256 480a3e97b61a2c0a597568496fe59c89306472aa61b50b9851a55131dbb1d465
SHA512 0353463e22b664440aeea86be8de53711cf5c9ad41a4742b71e972363202e734d5444cbc9afadd92248f6b2cae54ea399e181a14e0e792513d05ecafda808845

C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Pictures\CloseExit.svg

MD5 e8df53331318a49dee93c7ced4375933
SHA1 68876fd2b285b5b4bf0fd8b63bf5a4d896effa6c
SHA256 8acde6e56919adf229b31ec07448c4f75bcda986118117035f29843c2a3f6af5
SHA512 b9de1eb4015241f0d7c454752eeebe670876f8501ba4d8cbe0bd5f562e5446b975476b2580bf0b20b5314fad307f72ba919edc3021f6d36d20281905f5829a70

C:\Users\Admin\AppData\Local\KGOEYKGQ\FileGrabber\Pictures\MergeSave.png

MD5 cf422aa99146365bf9abcdbe10333dc5
SHA1 461d9cc4940f782afcfa76c489b1cc6711bf5129
SHA256 2172bebbec5297370a3cbfdf31d66e9a081cf5b204c847e5605fdea83c8be3c6
SHA512 f8ec03badc8a75ac62fd26d86956d74aede93e3a23912e9c952c7799c1768191ccb9e31818062930c252777471998ced6ac4b7bdce0eb6594717a82fe77f3af3

memory/3276-257-0x000000007450E000-0x000000007450F000-memory.dmp

memory/3276-258-0x0000000074500000-0x0000000074CB0000-memory.dmp

memory/3276-289-0x0000000074500000-0x0000000074CB0000-memory.dmp