Malware Analysis Report

2024-09-23 02:50

Sample ID 240708-bpbbkaxgpb
Target 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe
SHA256 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
Tags
stormkitty collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b

Threat Level: Known bad

The file 9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty collection discovery spyware stealer

Stormkitty family

StormKitty

StormKitty payload

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops desktop.ini file(s)

Unsigned PE

outlook_office_path

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-08 01:18

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-08 01:18

Reported

2024-07-08 02:07

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe

"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 104.21.73.97:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 ipbase.com udp
US 104.21.85.189:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.26.13.205:443 api.ipify.org tcp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/1796-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

memory/1796-1-0x0000000000B90000-0x0000000000BE6000-memory.dmp

memory/1796-2-0x00000000740C0000-0x00000000747AE000-memory.dmp

C:\Users\Admin\AppData\Local\HKULBIBU\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Desktop\CheckpointComplete.jpeg

MD5 38fec54d790c17bdc0df1b373a6de809
SHA1 2b0e747fcf52760804338063bcbffcde004e12f5
SHA256 a17bf0031af7db7309129113518fad430b3dc6d8c9afbcfc1ffa819450c772a7
SHA512 2cd72acd6681138109bdd29f9d42f9c8d7181e2d6fa9f9a37e8abe643cb2db991c9d3e1666ef1631b0a9964f612534e14901ecf23f7a82f1f82eca1011dcd8fc

C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Desktop\CompressConvertFrom.doc

MD5 7323eb4f3677c45a9d6802c8f847d27c
SHA1 05baf7db783a294f0f681ea2eb8a8b1de986cd27
SHA256 4bc9dd9c0864a87877a351b7bf01aa3e49bc5a08ced61f22fb0a3da27bdc4afe
SHA512 4e0bcf1be6fb855788fbf52c40efa365e0cb8768aeb437ac168a7ccf6c45e7d1cd4020e116b0d7bde3c09614f38c5830998a0c28d370ce91e298798400db0622

C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Documents\UnprotectSplit.pdf

MD5 1837b2533c09056bc51fe1dd2d4bfe0b
SHA1 9b159a02a6f32eb4db40421ab7cde2f275a22aaa
SHA256 1ad83d28256c9dffccfa928b8f898d191076a4696dbcb2155aeb12a7207059e8
SHA512 7c55a7182b19f190b9a54893db3b711aa7997d5535b4fbf08d885586ab0dbade176f20bf86297792258d26c29db322ed687b3afde36f4fdb678760023a155841

C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Downloads\BlockEdit.txt

MD5 745c411b9ea5f1d0f3d190c24d45a97f
SHA1 3d32973e7d487a984756f84dd1cc3bd67cf7ed62
SHA256 10c3b994f9773b69cb48ad8e7159e3c917f78c7375565bacdcd6abe1d8fb87f2
SHA512 7b16fa25ea088b186372a02345a57ae3a5c236ec2150b75c3ce43054203186e2ee96a62850206f3c45cf17e79f9bee54d8129d47ef02d95b1a72a5aeea647342

C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Downloads\ClearNew.xlsx

MD5 b8103d71fa50988948c74ed5e6da432a
SHA1 0658fdecdc66ab2bbf28f22365843530461ee290
SHA256 02fc673fcaf14e8571d07e103896b2f128357f67f2d4f8fbdfb3e4d8f037c097
SHA512 a9173306e0683746c391f2d81a29f496462713a7fe57ae6fd44c7937876b8c43375aa8427c9e99d9af972e89335c56156cb66f32f6b66df13bd7bdaf0fd45b34

C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Pictures\ConfirmStop.jpg

MD5 703bfe9d34aeda78a7c9fff9fd3cd6cf
SHA1 69d09b131f675de53deea685af6577e5f5db2007
SHA256 89b52da95cd71bec000cd94b5d16c7fb17436a3a52f7946dfa988829db2a6498
SHA512 a0d2855051e2fc1e9a66ce75a775b0b21063382fa37d21db7438999fc0b94a2de3addc704419016d3496022bbf72ed0cd458dc402f540e493322c7aa55b53d90

C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Pictures\DenyMeasure.jpg

MD5 a548add6936a57fd865fc414d33ced4c
SHA1 e08d57516e17dd1c56169af7191f4e7bab2d603f
SHA256 2341c8df20da12510ec848631d3df91bb91ffdb3b4695f6d20eb8a877d6b3098
SHA512 dadc59763bd8b9f6087f12275d1e93bb0c77eef0769f371c0619957bd2ffa0f1f9b3c2e011ff7cf6339ff2401a712488d30eb392852504f66b445e5fa7e96274

C:\Users\Admin\AppData\Local\HKULBIBU\FileGrabber\Pictures\DenyUse.svg

MD5 b35a334858a994f9ba106d88b5f00f60
SHA1 861b79eabeab7ad508ba4261475f40bc70adf900
SHA256 fe22bf5182b642241bc319817ca9803531ceddd9edce213e81b018a37e62efda
SHA512 441321be48294b2af867b500702839a7cbf7b388f176c23677071120e7351af6455bb0a5c366a10c15b26476213ace17a8b1f633f47a4c8fe96ffdc786aebc3f

memory/1796-146-0x00000000740CE000-0x00000000740CF000-memory.dmp

memory/1796-147-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/1796-169-0x00000000740C0000-0x00000000747AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-08 01:18

Reported

2024-07-08 02:07

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\ProgramData\OMYOWHZW\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File created C:\ProgramData\OMYOWHZW\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File created C:\ProgramData\OMYOWHZW\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
File created C:\ProgramData\OMYOWHZW\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe

"C:\Users\Admin\AppData\Local\Temp\9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 freegeoip.app udp
US 172.67.160.84:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 84.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 ipbase.com udp
US 104.21.85.189:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 189.85.21.104.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

memory/2840-0-0x0000000074FAE000-0x0000000074FAF000-memory.dmp

memory/2840-1-0x0000000000C70000-0x0000000000CC6000-memory.dmp

memory/2840-2-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/2840-32-0x00000000069C0000-0x0000000006A52000-memory.dmp

memory/2840-39-0x0000000007010000-0x00000000075B4000-memory.dmp

C:\ProgramData\OMYOWHZW\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2840-53-0x0000000006D90000-0x0000000006DF6000-memory.dmp

C:\ProgramData\OMYOWHZW\Process.txt

MD5 effa9740d01f6a099c9d241990cddaa8
SHA1 acb86f9b149c81554b38ca8a0ea9ee75fefd2ff2
SHA256 2cf0a6e88df64f73e3a28027688119457f0801aec0dff7c6efee9d3a19609d24
SHA512 d5bd6b1cd6d1d9ebee6a28e6ee88ac7084e87fe36eaf2479250f45f60facd5ec8574d5f627fbc206704901e0f1148e91db14c14391c0b4c4883e8a528dee43fb

C:\ProgramData\OMYOWHZW\FileGrabber\Desktop\ConvertToTrace.jpeg

MD5 d2f4ea36d8fd4716d6fd6820cbddb3e6
SHA1 b05ae5274fed9a29285960e5be157c55cbda13d9
SHA256 00bc48ab0e0132bc2d8ca8823ff7c25a534acbe899b8f9ceac464c20b472c35a
SHA512 f4e283ac85bee409d0e229c44051ebdc70e302746a4884d8e4a6d0d29f3e02f73139042cbc8304d5c9d960aceaa21dfaae8c4983b51564261086df6cb8a2581e

C:\ProgramData\OMYOWHZW\FileGrabber\Desktop\DismountPush.xlsx

MD5 4a35445a625358afb991b19eeae30030
SHA1 c234a6f50e2ce249b53342ac71217b0b0ca5ddaa
SHA256 880ef633b5b29bd0e04efb34d75499029335ee4db8b9a0769c7ae58c121327cb
SHA512 bf459d4b84ffa74bdb62ffbee303c14095b688a82e5e3a199a96321d45574531aa1f0737026c40d752fee294fbb4cfa04f19705c54eb940ac67aab423a899020

C:\ProgramData\OMYOWHZW\FileGrabber\Documents\CloseReset.html

MD5 37eb6cf1a0194cff092a97d0ead9e384
SHA1 183ce622fd56dce9d4fbee02d80707aba68256bc
SHA256 90b44f2f27b82d672a254e17855608779234d7fc6e2d4505557535ff1f0d9bfb
SHA512 8971bfdc60307e6779641c454a372a026a737a363ce4de9385184e806c5fe4afcc2fc7274d6ae0699a3d9ff49dd49b508b93ccd712b29bea698d4af9a78be398

C:\ProgramData\OMYOWHZW\FileGrabber\Documents\EditComplete.pdf

MD5 b443cc49c2c2e40a4f4ad2db0bb5ec2e
SHA1 4086b629a7c521a62854008d466492b21ea87cc2
SHA256 5c55a20c0ec8d9669f64a065efc82c5dc04e2b9598b0cdd40f133bcbae602bb1
SHA512 6748cc1ae5cdc226f0686164dcee543f077007f3675c0f5cde0e905e5a028073a939c2ebc159af5a1ee09044d71a149b7df6282f6edaf0714389ddfa9ed4f0af

C:\ProgramData\OMYOWHZW\FileGrabber\Downloads\CheckpointClose.rtf

MD5 9faf1d994caab14f4273981b41a6a787
SHA1 d4ce5e567b7a1a15f2e23f8c0e86221cad86adb0
SHA256 a075c1fcfbf798d473dfa09f74fccb0f525dc80c6c7a4928cf1c3c31f1275bdc
SHA512 dbc999b8914462f0ea55f6559856946bce5bfd31903cbbb369c627ab8623b65820aac1da59ceaa21e86a16de30ec36189ef516280e86ab123b29caa3292a32df

C:\ProgramData\OMYOWHZW\FileGrabber\Downloads\ExitFind.rtf

MD5 caf0286e07cb58f8f93c052975192f3a
SHA1 0caecc1e356fe23831248f2a585e465f08333754
SHA256 f2e6b7f3f6e536bf62faa6828b2c8e13f08c1ab18abbbfd4bc733937bc301338
SHA512 bf172ef45a5bf714a3c1ef5976fb5402c8267e2ae1881d20c01e2b360358f8cd58f1dde12a2afc178be6606e057ae9ea5ac4a225af16e06dd53feab50a11458a

C:\ProgramData\OMYOWHZW\FileGrabber\Pictures\CompressPing.jpg

MD5 661e072de77306ed328f0aae0ad8e697
SHA1 8b39e61df6072da2a8598d37ca8ad12d61a9e11a
SHA256 2d8a4222091da28e441ea5c238d283bb0317d160338a261255742621a5708088
SHA512 4c78b78d1a84979646e48546af53d358160c54c676c1fb965cc8d42394e3e354cdc32276722fc5dfaa7782d50b9f935ddcf60ebb74cf3a6d38f95cf73b0a1a35

C:\ProgramData\OMYOWHZW\FileGrabber\Pictures\InstallSubmit.svg

MD5 914d947cb8ddd4678471b47a924c8027
SHA1 72b489bee8656b2d72e21af435792b1d84d34dff
SHA256 86e302dcf86881d319fe0a38ce3fd17d1f2dcd9251bf9062c782a57788ced246
SHA512 b0d5291d9c66a9d521d8b1eff95b79e7fad6552eb106c71c7126c80152f593a91382e63ff1b2ad17deeade854d17ed4cfec2cd9cc1ae005123bb2409af47b720

memory/2840-237-0x0000000074FAE000-0x0000000074FAF000-memory.dmp

memory/2840-238-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/2840-265-0x0000000074FA0000-0x0000000075750000-memory.dmp