Malware Analysis Report

2024-10-18 21:31

Sample ID 240814-x3wejszckb
Target ProtectPass.exe
SHA256 75bc18011ab2a39bdd97e241ee748399fa0fdf7fbd51a640abe5067cee34abcc
Tags
stormkitty collection credential_access discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75bc18011ab2a39bdd97e241ee748399fa0fdf7fbd51a640abe5067cee34abcc

Threat Level: Known bad

The file ProtectPass.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty collection credential_access discovery spyware stealer

StormKitty payload

StormKitty

Stormkitty family

Credentials from Password Stores: Credentials from Web Browsers

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Drops desktop.ini file(s)

Checks installed software on the system

Looks up external IP address via web service

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Checks processor information in registry

outlook_office_path

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 19:23

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 19:23

Reported

2024-08-14 19:25

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
File created C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
File created C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
File created C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe

"C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 g.bing.com udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 204.79.197.237:443 g.bing.com tcp
US 104.21.73.97:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.209.67.172.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4284-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

memory/4284-1-0x0000000000D90000-0x0000000000DE6000-memory.dmp

memory/4284-2-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/4284-31-0x0000000006AC0000-0x0000000006B52000-memory.dmp

memory/4284-32-0x0000000007110000-0x00000000076B4000-memory.dmp

memory/4284-40-0x0000000006FC0000-0x0000000007026000-memory.dmp

C:\Users\Admin\AppData\Local\OARDHGDN\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\OARDHGDN\Process.txt

MD5 b9de1c3959308ca8ce4b41d11f8f31c5
SHA1 ed3e4f5ce28c03a70ac67c58e8699ce62d9f9833
SHA256 54f5889b99019e5b5ec147484c99b92cb11c2a83d12febdc71a1a4cb07c6cda9
SHA512 b4d706b03b5aa700d87e3a3efdf2a4355053c16477a54d598f08ddca2af2dfc914b877ec3eb717ae8d418d7fb72b7f3be9a21d6d2ad1eeed9a85b911d93e414e

C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Desktop\ConfirmGroup.php

MD5 1291734e8db998d3a9581370320efd6c
SHA1 e3655d42aca84d9e562e484978f62854576e927d
SHA256 a1cc1a8934c153e53ba42dbfd03bd1fe1c079ceea780f40d441c19889a3ff859
SHA512 404b1ef78325c658b207990b37ecd228031ea24031b1dd030ed06afe03543464ec942c0b8848a59bff25625eb341696bad645be90ca98f9b8c59230f4f2fee75

C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Desktop\DebugConvertTo.html

MD5 1e3400d6a285c7046b0286e873bbece3
SHA1 0ea79e84a2d849cc207610e93a0dbd52961dfaf1
SHA256 5802323adbd61903ad13a2c4d5cf8438544276d943ca1dbbc672c07ad0118054
SHA512 ae186e97a70cbc2da0525144cb41e4ae01cf20fc177fe8ca228161afd335c5c276f99a04166c8fca64877fb348db4b5b6e1ffa7098bba4e263d6bc488a22b87e

C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Desktop\RenameEnable.html

MD5 0c1b66f340ecd052ed90de2f65122134
SHA1 145a54f79e6e6d6fe63c85ba999486764272f7d8
SHA256 35395f12a4655109a0bab4279b9251795f18f601b914b479ab28f7cf6998b61e
SHA512 4bcfe30ae2f5b87692e37ab79eedcbde6bb368d34bee9193f4c751a2130b29831bb44966c92968394a0e577af679f9bb256ec5f5ad770e855fa89c3082286f3a

C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Documents\DisableReset.txt

MD5 e8f96c24bfd3d1424b84732386619b2c
SHA1 d6902fe1602db76698f0ba6233c28d8cb32be6d0
SHA256 005cc8f865b99c3c4a5fc88632b29438dd290e806ed18ca71da472c1d12f01fb
SHA512 6d3780080b6289f7b3577743f36da8f2e2a1e1cc8840440db1cddcf9268d280c11c5c793d0d196dff9afb66f97b97005f98404b81c6f236624c515f643515d1c

C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Documents\MoveResume.ppt

MD5 ac05b5c3b1a5bff6a7832539882844c0
SHA1 2d4f52d8954866665dc5e955934cf08fe40db5a3
SHA256 e2ea4332dc491decb1af22edf096ba7655bd890692d7ee2317b9f282a8d4fa1c
SHA512 f0e1dcd6a0e2d466aa976636e3f9353000a8a6e91c6c9460f4a7fa5ffe32cf73797e158d21b41425799bc547e83e07e65850dd39340fcf0ce71aee7f3b0a3b40

C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Downloads\CloseSend.js

MD5 12c65cdda4fd1cb551792f4bd5c299d1
SHA1 9b93d6298f050b9b20d2f9eaa76e4b95c27cf15d
SHA256 003b201a96ef285c79aed1965c19a0b869d1829b0e2de7f61869d57dca17ded7
SHA512 145dfc3067f56cf7cc57911abadfe39f85c99fc641cb695c06db6d7f149bf6de155bbffc6c350215ede7f53c97a92287e9c77230de17cb930c450cbc947eada5

C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Downloads\ShowRemove.php

MD5 8a0587542e6f49b98ca645cd37e60eeb
SHA1 7c8264770dfb1995b94735de9a08c09fc81e333a
SHA256 011c43379e90dd1d64e4f32de364f6cb14f56048deed637959df3baf759fac4e
SHA512 b317b70d43eff9e2121d36cf6fba0d28863d8188a2a6c31852def228727aa7a51cbc9a01f7c31fbfda96d0eb872b981dfe4ae483200134335229c0698ddb92e9

C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Pictures\EnableInvoke.png

MD5 699f442d59ad65152953d7f16e104ca8
SHA1 9f2b93e3e0a7d4b8cf69017ac62aa318c85ee8fe
SHA256 a8ee5af25a1a34c37bb4d05a7a6e3c32075ae12edd2b10261c063381ed07655f
SHA512 de288220e5aebe1bab075d8a25fcaf3fd137ea17ae3e0487f6f7553c1490dc4588ab4ed7fde3420cf6e35d95cadb988ffb0308c183b683587f115f859c16e724

C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Pictures\LockMerge.png

MD5 b7e1de38f6f0f301180634b885aed515
SHA1 bf34beb7471d49e6819fea8365125a6653c12ba9
SHA256 65062b2547ebf178e98e39e0e074f6c5aa4a299c80fb6e6ccff67f0b777bf541
SHA512 398790fd7a3b2e19a1e8394fac1801850e200a17b35d48db8fe44900d28185003516b88b10df93e15f259723bc418e664148c9b3d646bffdb5c98c5bcc9d0418

C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Pictures\PingPush.jpg

MD5 ca6ab6b2672b2a049bef5528d3993f6a
SHA1 b801f548238a4fe8a95605942e981f044db7c7f8
SHA256 71492c6923db0279e574928c5a0e61f8d918f969f82c0150c871a05545e55b9a
SHA512 0377670bd44211aec305a67ca613cc6ce2b0e4a94a6bcd6768e6b6efc8305b566a8e784fd67f6ff0ddc16f238cdbbecdce94f573bca1539c3ff21551668f7611

memory/4284-237-0x00000000744CE000-0x00000000744CF000-memory.dmp

memory/4284-238-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/4284-264-0x00000000744C0000-0x0000000074C70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 19:23

Reported

2024-08-14 19:24

Platform

win11-20240802-en

Max time kernel

40s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
File created C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A freegeoip.app N/A N/A
N/A ip-api.com N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe

"C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 freegeoip.app udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 172.67.160.84:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 84.160.67.172.in-addr.arpa udp
US 104.21.85.189:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2960-0-0x000000007468E000-0x000000007468F000-memory.dmp

memory/2960-1-0x00000000002D0000-0x0000000000326000-memory.dmp

memory/2960-2-0x0000000074680000-0x0000000074E31000-memory.dmp

memory/2960-29-0x0000000006100000-0x0000000006192000-memory.dmp

memory/2960-32-0x0000000006750000-0x0000000006CF6000-memory.dmp

memory/2960-34-0x0000000006520000-0x0000000006586000-memory.dmp

C:\Users\Admin\AppData\Local\NPCDUADC\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\NPCDUADC\Process.txt

MD5 ce714ed04de89371bbc8f1d68bc94682
SHA1 1cf1613ea6299098de09113c67d3901d250b255c
SHA256 560f7ee3ed2fc2ceace395de8be09af90c732cf3831e9f59166ae3d2f0fb07bb
SHA512 aae5b90861a48b00ef268279012ebd962775449dd1de9e14dd26b32afbfc26c93f3039d64f57d1a4547111fb2b7d2953778c7c3905e07edc7cf3b951b36f2d19

C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Desktop\JoinPush.jpeg

MD5 b2ba33342da479a4beb29b07b046f335
SHA1 f54d5a0bf0fa0a24cc697ec303906558070fb390
SHA256 81e35f1b5d66d97f4c03681598ab54c3d7615636feec61d280e08fc77a64d501
SHA512 5875b234145ac72e743d554336070e515ca5cda2bfa7c382eabeb776c2aac16bea8631005d3f2651b834301b9e3b6e2e00baf4c5671bcf32a3e6c6ac7c9b0af0

C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Documents\ConvertResume.docx

MD5 b1db2182baf53630ada9ab61240de025
SHA1 5e3c8c425927c457a8b37e184544f808e6bbcae2
SHA256 5a841083e4752d899584d9c0bd762d72c7abbfc1a78a54c08340daea432ae20c
SHA512 aa71facbfd8dc312e52b06d846123923ae77983cefc5640b3ae5b9d36f733da59e6f6b76b34ae1e36957382c9db1f848ca676bb05e1e2c7e2f630e3fa1bacb87

C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Documents\DebugLock.ppt

MD5 842a7b61ba1e294e580e91b78242f334
SHA1 2630755cbc5be7fc9afd0c49512ee28c530af46d
SHA256 39d4db9bebe50fe4385098b73c678304977b2328d99de710945605fd5465db76
SHA512 ecaa1255c953390b291a0e2e667fef30a9bea4858c850dc263499325c4c53cb81d912bcbfd27b90a4c1bc25e9dfa8b4e239ed22b33bb00b6accb27bfaa69e92d

C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Downloads\AddCopy.jpeg

MD5 ba5fc3ae229b3fbb9dcfb48fa288d953
SHA1 ee405bb7460806615e9c0f74d9bf9ca067d43d2b
SHA256 1db097456ddd266c70035cf429f962361014cd27e53fc4597a0f4647eaf31775
SHA512 53e52afd6b012c823defb74789b5078c7776cf0fcf9e6b557a1128182633c7bbd8ad69167b8b58d0d83f078dcfbd370397dc2682767e2c50d75b07f5ff8d0cbd

C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Downloads\ConvertToSubmit.css

MD5 a740f445183c1eb9a96570ea4c6f3b61
SHA1 4983c8f2baf81e43e0012e27526ebac50c62bdd4
SHA256 b24fd75dd171cb0ac7deff828288b08ae99867516131ffb95435316de0730ce4
SHA512 b27ea65aa5d82d157c47b7699ad1ca278d8bb809ad85a63b47c66a40979cb21190c49115ddd3090216dd70085354032e4202f966c3d9a8a3ad9536843a9cf836

C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Pictures\ImportRequest.svg

MD5 b2570ce85fa542b07a0c599a5332e094
SHA1 c41a3046b70d35ef40bb7c4fc49486ca480f1253
SHA256 e745149c6bf9137ab07ae91e40d549755f307db212d9c378e7be5c617aa054c7
SHA512 e5189eca2a3e04d208f9f7743fa4d7cc98872e549cac6890c79de745309ed37af7c21434be8bc0c6151cb4022097a9339156b75276b3cd65fd06ce31fd6d9c92

C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Pictures\InvokePing.jpeg

MD5 f521b860284736f67bbe93daa418cbc7
SHA1 f0242f541dcea0c938139a3149255e99a4e38b21
SHA256 0e0332da2186f027363b6b5880c4896269ca59fc1d0724cc630a45ec6e0d0246
SHA512 549283621769eb7c8d793ba15c5e343e0205407fd26c8901505e89bc90418059532cc979c4d92f9fc90b80ff8e26d2252d48208093c7b5ba37eea5e35e26bade

C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Pictures\OutUnprotect.jpg

MD5 f81f014ee668b6f6725c400a52460a09
SHA1 f9d48c060da51ab262a597ed44483c21c73570df
SHA256 b5dcb4b68bffdd76b93495869a169087cc61f347a5d2d378b34afae537d23af7
SHA512 07fe653ec1d8477caa2fb5756d50bf70ea67519338ca3f8e5ef93d5ce884b0343c22c5c1b63ba6326250de50f51a5b09418c6544b20b1f63522ab3ca40f5176a

C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Pictures\PingJoin.jpg

MD5 97a1f0e3085693b44c26961d51e9e21f
SHA1 90cab9133bc51789f1e250ee08efb5013b7708c7
SHA256 e5e6d0dda6bedab0791d6400c44001da9b6aaf1e202c33606bf99b2cef5253a8
SHA512 bcb09682e2a00b8dcd8f4ebcd83b5bcd6da9fe0785dc038771f1c48433e6d53230d00ecc85315034d3ef6d491e4ef4467e919fcc8be15d06ac3ef0b39d17f9fc

C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Pictures\PublishSwitch.svg

MD5 0b0e3bd28b272b15a7678b69e5109634
SHA1 8fddf8b791ba7397c2033be8a8469f9709f2f11b
SHA256 04c0933cd67185f0a6cc66aca1ffe8beadb66e9b19843de67787294b74b6aa2b
SHA512 e3e621a9de567cb7902f72e1302cb1c840a5ef84be77f4121626040a7106aec82a96090a0f1c76eda13c01b3a25bf1ea385a3840b06b7e9e9f9e99b2cb52e4c5

memory/2960-233-0x000000007468E000-0x000000007468F000-memory.dmp

memory/2960-234-0x0000000074680000-0x0000000074E31000-memory.dmp

memory/2960-260-0x0000000074680000-0x0000000074E31000-memory.dmp