Analysis Overview
SHA256
9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
Threat Level: Known bad
The file 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b was found to be: Known bad.
Malicious Activity Summary
StormKitty
Stormkitty family
StormKitty payload
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops desktop.ini file(s)
Checks installed software on the system
Accesses Microsoft Outlook profiles
Unsigned PE
outlook_win_path
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-07 05:18
Signatures
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-07 05:18
Reported
2024-07-07 05:20
Platform
win10v2004-20240704-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 172.67.160.84:443 | freegeoip.app | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 15.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.85.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4500-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmp
memory/4500-1-0x0000000000FA0000-0x0000000000FF6000-memory.dmp
memory/4500-2-0x0000000074A70000-0x0000000075220000-memory.dmp
memory/4500-29-0x0000000006B80000-0x0000000006C12000-memory.dmp
memory/4500-34-0x00000000071D0000-0x0000000007774000-memory.dmp
memory/4500-36-0x00000000070D0000-0x0000000007136000-memory.dmp
C:\Users\Admin\AppData\Roaming\KGOEYKGQ\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Roaming\KGOEYKGQ\Process.txt
| MD5 | cf7a1376bd7e38ffcac63227dec45b00 |
| SHA1 | 2af6b55561264efb894e45481797b02dc69bd480 |
| SHA256 | dc4ba730d335f620f8300eddfd006b6750f5ee6074c19de0d9a86b41c43f945d |
| SHA512 | f932b7c010b24481b32a7bc1b6f7d738accfb06aba94260fdd3b9276ddff086975fb4b5bd7027c4e573acf32bf32a888490cea87d60e82801aa7c4dca8e410ea |
C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Desktop\ConvertFromMove.jpeg
| MD5 | d824c89d902f958f5e793abc5f3761a5 |
| SHA1 | 140f19a084d9280428a18a8d305a0f28ac86edb2 |
| SHA256 | 0896c9d880de34df835ae49d3b195b710a7b85f89c34ca1e3f8c863fb0fb14b4 |
| SHA512 | 20011e57662e5804815e60904bdfc8d3ef712254acd2adf0d71661de4feec2ccf4e87e48b9c4f7b9ac5b3cbbba98e81e220bcd2218fdd8213d57d5c63d820313 |
C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Desktop\CopyInvoke.jpeg
| MD5 | ff7ec59cd06848bd223b515924217417 |
| SHA1 | 45242c14162f4cf5129191c0d6e9d0a4ea625223 |
| SHA256 | e92f09c90bc02bde393edeb27987a9e6f57dd87586831b11969fa778e92e564a |
| SHA512 | 484df9703148e192140afdd3cb40f1ba0209826ed1962351a7462633d3b7a0521ef5bd6c250531d18fc387f48a98aa91c6aa1852fed2d2c04dceec2906d4af70 |
C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Desktop\GetOpen.ppt
| MD5 | 21f5efd3d5cb121b50a863b5911777ca |
| SHA1 | 0dae349f165fc4d79e694884337dce6d31dbc9d1 |
| SHA256 | d6186cbf85e380bdf131865b4c40a31aaf61f6bb5477478a186835ce97903831 |
| SHA512 | ef8d62c2ec9f01e75f95f70e00f2378f948707cefc647d053386438a63b03a29e770f59e90b7037125fc0ee8e3a9769dddee4245226372d773145ae6cbe66497 |
C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Documents\ResolveUnblock.html
| MD5 | 0314e0f44243952ee8ee7999adf6c69a |
| SHA1 | 0c97594904f9b9c2a94c9d0957d0c49fa37c4d63 |
| SHA256 | f8971f8bd129205644dda236f433acdc6437248935cab1117b2dffa1ce05112d |
| SHA512 | 5e314494b81c12925b718d58ee5b1519373f24cd0a109dcbb81aa13b1ee2fc9cafbf2279817bb50811da9efbc2a2dfd6f3ae373775609137f3fd5a9f7b7d863b |
C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Documents\SelectConvertTo.txt
| MD5 | 0add8cdb6ad14ead8ab807440899c858 |
| SHA1 | cf42e839d873ec58fae9c42b4cb4e3a756232a5b |
| SHA256 | 2b355a2adb5e0ac41c312fb6c735cf60d452ab4556e0b726611d702a89d863cb |
| SHA512 | 09d7238026d70edc2dff9b24a36e63becc26464277979d51d101af054f475111c5ed8804251b5170c9e4bf22a69d282064fff4f842598b8852625526b0b1a763 |
C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Documents\TestUpdate.txt
| MD5 | cef8077a00718dde5c55b036642c4a26 |
| SHA1 | 0b3e9c256bb77f42f387ac965ab7310a20fe7731 |
| SHA256 | e835dd0957b7d2c6a8befad61b2c7c4db1b9dfd5aa49eba99fd19bc1995e947b |
| SHA512 | 38c997a244b7a2d291a34b067b72a7073bc789b7ebb64d346e311eb79295489f02b6a5d7f10017d019986d2d2682a716d3ad7866bb9b598c6bf12f7c7e20e76c |
C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Documents\WatchConvert.docx
| MD5 | 80ba8848917ae054ac65f5a88a9e3400 |
| SHA1 | 3237356a24be22e7e9ba50e98181274314e214eb |
| SHA256 | a965abafb7d2c2e1603478e75dcaed92a885e77ce7133479515914a9bb4e4dbc |
| SHA512 | d37c310933207208b5d07ad3f4328aa2adcd7f46423e771a38bf71284f2fd76bf633d39cc8a20f01b6d1ab8568f5070149c31e045eaa79cd2977b3b7de70bd8a |
C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Downloads\EnterRequest.ini
| MD5 | c1a6d0fc0058bf9a9747ad27de16bade |
| SHA1 | e6925db25cc2f43b2b66c9262dd84ab624be8f41 |
| SHA256 | c1eb665fc1691b9a7fbbeabfe74ec79dbc08f2729bc16bab71903610128f2677 |
| SHA512 | 5b8974cf267ef8bb5f878a59a847c78739539b8fd83685948dc7ad5f6b5b6fd222221b2f1c454cf9ab564fd7d3e367ff38a62d7a2d87b747f9e8a2ba40fbd621 |
C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Downloads\LockRegister.docx
| MD5 | a7b12047b19ac4709e81a067b375e8b9 |
| SHA1 | 7fdcbaef47d69280db73125b4334ac7b6c51760c |
| SHA256 | 760df112a3b3c6687ff73657c77eb6c95a4e6c51060a4d8a008362063d370ea0 |
| SHA512 | 89c1642373c76f4e1104a574e0aaa7797fc94645b5c528614625ddff42d0c07ffddfba013795498d3a9f1e05c48b4faf9437a68d4927553f3b6a1889b3262a07 |
C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Pictures\ExportAssert.jpeg
| MD5 | 48af4a19c2d89b80dfef21dbd4ea1b91 |
| SHA1 | 364981e3bf71f484fdaf68e39243223d3c137d08 |
| SHA256 | 214ab024649cd5b11bde3cae7ef2356a0f261d13645fe0d5ab4ecf3c34395c8a |
| SHA512 | c98b7d2afdca8ec0a909505e66e0e02c5aaa1ec5788d92918eec383407b33d044ca0b16d49ebedb744fe28683ebc1141ea3e40a33943f13dce75f8560fa139cd |
C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Pictures\InstallPublish.bmp
| MD5 | 527a9df30e9d1a6d0b68f59c669d1f10 |
| SHA1 | 2872ab33c08eb6a41761a879199b8698b0526063 |
| SHA256 | 50452ffac02f9d80a6ee58f5e03586f8cb14c4ffc4083910cf82d3504aacb8df |
| SHA512 | 371cb91c971f1ba7c7e1fea486246c844274de990d67d79d2bd167a9332e7bdec82de1f682c233eeb5b8bd2fe6abf576e55f3201d15a97ac00de0a2626c3a4ed |
C:\Users\Admin\AppData\Roaming\KGOEYKGQ\FileGrabber\Pictures\RenameConvert.png
| MD5 | da8ded1465a1873f5333100f74905f15 |
| SHA1 | 01a800145aa8d12554414bb618dcd3f54b1919ec |
| SHA256 | 70db105350de0c5464c545eca76059ee53bae9f4073bc1b9a8dc4657e669eb91 |
| SHA512 | 2a9ecdb058d27774e5d420b00715e3020a41fa371bf3ffe962cd68b7706b5667e79470308d00d5331bd064be52c2fa412293f87ea2fd407079f06c679dfd9069 |
memory/4500-245-0x0000000074A7E000-0x0000000074A7F000-memory.dmp
memory/4500-246-0x0000000074A70000-0x0000000075220000-memory.dmp
memory/4500-274-0x0000000074A70000-0x0000000075220000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-07 05:18
Reported
2024-07-07 05:20
Platform
win11-20240704-en
Max time kernel
92s
Max time network
101s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\INJUIINI\FileGrabber\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
| File created | C:\ProgramData\INJUIINI\FileGrabber\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
| File created | C:\ProgramData\INJUIINI\FileGrabber\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
| File created | C:\ProgramData\INJUIINI\FileGrabber\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
| File created | C:\ProgramData\INJUIINI\FileGrabber\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 172.67.160.84:443 | freegeoip.app | tcp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 189.85.21.104.in-addr.arpa | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 52.111.243.31:443 | tcp |
Files
memory/5956-0-0x000000007465E000-0x000000007465F000-memory.dmp
memory/5956-1-0x0000000000280000-0x00000000002D6000-memory.dmp
memory/5956-2-0x0000000074650000-0x0000000074E01000-memory.dmp
memory/5956-24-0x0000000006090000-0x0000000006122000-memory.dmp
memory/5956-30-0x00000000066E0000-0x0000000006C86000-memory.dmp
memory/5956-35-0x00000000064A0000-0x0000000006506000-memory.dmp
C:\ProgramData\INJUIINI\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\ProgramData\INJUIINI\Process.txt
| MD5 | cd344d314260993be7310632e7906f7e |
| SHA1 | a61a1b824be45fb4c2071cadfbd1312227094cd2 |
| SHA256 | 1dfc20d5c09ac1129860c5c3080f6c17f2e06aa8dcab9eb826c2122efa063918 |
| SHA512 | 33d450e147fd1b51c5eb084842b27173d7d2ea84fdd4424930664bfc7918ce70b8296e001c982701d9b5b593be9a932c0d67a88896181aa8a33eca4bc3ffac34 |
C:\ProgramData\INJUIINI\FileGrabber\Desktop\ConfirmInitialize.ppt
| MD5 | bd616c72598cd85d2dbf65ba80a1700f |
| SHA1 | 7e2e448f411782159e9b0e34bedcd96601da280a |
| SHA256 | 6b2fdd3552df16b8e8567226dda7cd498d566202ae56875a443116674601bc0e |
| SHA512 | b5c0164d42f2120ba234a8ac04e8a9259fbb9a903dedd3763a60ba855db9ef99455754527db569bf4a2a743a4701aa42d96feb55e600b040077d3603623705a0 |
C:\ProgramData\INJUIINI\FileGrabber\Desktop\ExpandPop.css
| MD5 | 52e3c83b45bbfd4c74c1d6636beef038 |
| SHA1 | f795ce5c50a23855bd950d1a67fd3e2fd3e78674 |
| SHA256 | 0f49e22e3499ef920abe6401ba9586209a003b1d8f392e323a4c01753fa33fad |
| SHA512 | 58790540d90aae0ccb927230f09c2be68f49eee5724c037a64b5df1fa9ec53b8d45789220cd7585d92423218d0e804ace832594c84643063f2edba9969221086 |
C:\ProgramData\INJUIINI\FileGrabber\Desktop\MergeNew.docx
| MD5 | b20babe6b303b35f9f2af30fab3ea7b7 |
| SHA1 | b8800a8d585eb7c709515c38eaf9015a468c6196 |
| SHA256 | be997c752df66857ea0a3e4f939b61f468bab716a47d9d7e251b3aaad72c88ff |
| SHA512 | a22b305dca3e1ef82890d9c71c3a1c72ec18818076ae9c642b411201806ec00db39e66978dd8087c6426dc584eab09f10d657014d6f61d65f829b425bd087bee |
C:\ProgramData\INJUIINI\FileGrabber\Documents\AddUnprotect.xls
| MD5 | 98d7cfce856060ec188cf0461339149f |
| SHA1 | 39c01cd2fd4d094d0f537b2761860a2d2d5d21d5 |
| SHA256 | bccfd2eb5f02937aed250b281332d4cc36a84501db14f88a0e162d2c4029163c |
| SHA512 | b5eab5c324ac58f1da7a2633038d187085180f99445d4193b0d52a0737c395b6f91d6211c7f1110fa2dabdf03c7856fcb534253627ee8e5576a29590de67348c |
C:\ProgramData\INJUIINI\FileGrabber\Downloads\EnableUnregister.rtf
| MD5 | 4a5410a9ad0d5263dac7002735adb2d6 |
| SHA1 | f32f98dbf5c74972281843448e753af97cb1df1e |
| SHA256 | f94ae53e9cd44c0bdd9d10fda86baf28d2f1cee1bb4f9ba23209b1a68a558db0 |
| SHA512 | f008d350ea8e8a402fe2b7625cda4ce1daec87ca060328f4379af47fb2e5353e0d5ceaec61ff14cafaee640426b18912f1e3652ca2f020e3b842b41b314e983c |
C:\ProgramData\INJUIINI\FileGrabber\Downloads\SplitBlock.pptx
| MD5 | 0fc9e6ef65cd7aead3a0cef8cfba60d1 |
| SHA1 | 541ef79a4e70a7185adb79da4e63e548b81e7f2d |
| SHA256 | 2d1fc6704282755257d74317233aa463a9b7e1270fd7abc0dec0e0d6c747f7c6 |
| SHA512 | 894b29b4e708c642bdd43e57f97715da9c07be353087040670bae701c9276bf9bf0d9c8181c69ce1e1d26e8c496f72067bbd55cb233dc5460a6e1268e936ae0e |
C:\ProgramData\INJUIINI\FileGrabber\Pictures\UnprotectSave.bmp
| MD5 | 8f50713d9d13e92d0566fde0dbb627b3 |
| SHA1 | 1f2f29fe77ba369cb0c800d505b07ec68c495804 |
| SHA256 | 9c3fd1df77f897e9446d7f7491d5da27f48f653865d34d2a70e5858a04f2a2b0 |
| SHA512 | dff47f1803bb5a0ede51ebdb8697995dcfa23284639dc81a9c974b336f5576e64e7342b7242c59ebc76f08e0c4cedae3b147f91d217995f05fb08a2efb7fcb57 |
memory/5956-222-0x000000007465E000-0x000000007465F000-memory.dmp
memory/5956-223-0x0000000074650000-0x0000000074E01000-memory.dmp
memory/5956-247-0x0000000074650000-0x0000000074E01000-memory.dmp