Malware Analysis Report

2024-10-18 21:30

Sample ID 240817-2nmajs1fmh
Target 5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc
SHA256 5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc
Tags
stormkitty collection credential_access discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc

Threat Level: Known bad

The file 5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc was found to be: Known bad.

Malicious Activity Summary

stormkitty collection credential_access discovery spyware stealer

StormKitty payload

StormKitty

Stormkitty family

Credentials from Password Stores: Credentials from Web Browsers

Reads user/profile data of web browsers

Looks up external IP address via web service

Drops desktop.ini file(s)

Checks installed software on the system

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Checks processor information in registry

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 22:43

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 22:43

Reported

2024-08-17 22:46

Platform

win7-20240704-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\ProgramData\PDIZKVQX\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe

"C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 172.67.160.84:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 ipbase.com udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 104.21.85.189:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.26.13.205:443 api.ipify.org tcp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2696-0-0x000000007418E000-0x000000007418F000-memory.dmp

memory/2696-1-0x0000000000E70000-0x0000000000EC0000-memory.dmp

memory/2696-2-0x0000000074180000-0x000000007486E000-memory.dmp

C:\ProgramData\PDIZKVQX\FileGrabber\Desktop\DenyBackup.pptx

MD5 02e509acddff1837496e62b35d5c33c6
SHA1 ab334497da02a87ec601c8486a77d9fa668d91f9
SHA256 91473b552aa797e3a4117150b4d9bad9533cb0ee599887b848d360c3646e2798
SHA512 69f390acbe9ad4fb308eea3ad82f02e4becc27fc8bae96df636f8b595723a18d10714635f6d23d8048ef1dcd08502dc0afd7dbf27e34677c85941f31df68e92b

C:\ProgramData\PDIZKVQX\FileGrabber\Documents\RestoreRevoke.doc

MD5 d3b89f9f50c55e6baed035a126a46f4f
SHA1 87fc950f924ab5f9441566a325de07bfb873b579
SHA256 4c1248d796852071644b3c6c9120ce336c9e8a35ca65351a8efc21073e5c8f01
SHA512 473455f4ae4451f9f16248d6ce1fe91e9bdabb6a7deb160f7681e5e62701df392c1c1e21ed8ff9e18157d59bd053c718cd4f770f37cfb0ac443592a02ea5e159

C:\ProgramData\PDIZKVQX\FileGrabber\Downloads\AssertRevoke.rtf

MD5 ba9c5572ab05ce028510c5d4b3ec5a18
SHA1 622d78d60a6f1e5243f3657b44a8838aa4af48a1
SHA256 2ba3add9e74e3e3f5985807c1c02d823abbbc1d40a992643f418fda121d8f552
SHA512 378866235dca5c13026d7f562174bf4d2719f24f8be05f16cdd56859c70f194da1c676cfdc11990f4a2c9a190532d4f7618154a3584067a0472c69d8c18ba024

C:\ProgramData\PDIZKVQX\FileGrabber\Downloads\ConfirmSearch.xlsx

MD5 b7b1e3c2e30a8ab915ec0ceae6c30077
SHA1 f9a2e4685ee06268e9ad76d535833eef764e7d26
SHA256 67ced8833d74fe1bb9ce8b1447b067452cc730f9354f914aaf25548ac1cac289
SHA512 3d85e3a9a49913a19284f520109d6a346818cda4661e9b0e36f3a153ed47784b6d947aba843d77ac7b459670ad4ce915bf130ac6687d706a5d2496a9ecec1628

C:\ProgramData\PDIZKVQX\FileGrabber\Pictures\CompareConnect.png

MD5 4dcebbc6bd86bc3fc8c51ced6627a658
SHA1 022bcc691fa9f3addbc8f04c22d7568fd473a655
SHA256 079c2e5a0a7858c90979dbee3b377f652a18e2226abac8a366786944fe1f1bcb
SHA512 e148107c8b26a75a0e179f53e808fdfba4ecb5e043816f370162d4b1615bac4a091e4d7ea8e6690e4e9ecbd6df21554fbec6e21ee1456e94ad55e21dda270757

memory/2696-122-0x000000007418E000-0x000000007418F000-memory.dmp

memory/2696-123-0x0000000074180000-0x000000007486E000-memory.dmp

memory/2696-139-0x0000000074180000-0x000000007486E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 22:43

Reported

2024-08-17 22:46

Platform

win10v2004-20240802-en

Max time kernel

136s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\ProgramData\SYMRKCCU\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
File created C:\ProgramData\SYMRKCCU\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
File created C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
File created C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe

"C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3364,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=3824 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 freegeoip.app udp
US 104.21.73.97:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 71.209.67.172.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 204.79.197.237:443 g.bing.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 34.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/1164-0-0x000000007460E000-0x000000007460F000-memory.dmp

memory/1164-1-0x0000000000110000-0x0000000000160000-memory.dmp

memory/1164-2-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/1164-36-0x0000000005E40000-0x0000000005ED2000-memory.dmp

memory/1164-37-0x0000000006490000-0x0000000006A34000-memory.dmp

memory/1164-45-0x0000000006330000-0x0000000006396000-memory.dmp

C:\ProgramData\SYMRKCCU\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\ProgramData\SYMRKCCU\Process.txt

MD5 67a0e9a92b56fc48bfa1d1d6a046e05e
SHA1 340dcc7a95818370b2c165d3b6ee6de60d18c851
SHA256 e1559765cdb7af69be230dcb2bdab45c8f26f6d032942ad157c17d0489627175
SHA512 cb904edafb1dd5b62a96a413d7c2e38db15fa19d3c5f368d7f9f1a97a372519c4b9cc2c927f29b5738acc362d9e9cf5928985ae0dddb0e914ab5c7ebb56c00ba

memory/1164-164-0x000000007460E000-0x000000007460F000-memory.dmp

memory/1164-165-0x0000000074600000-0x0000000074DB0000-memory.dmp

C:\ProgramData\SYMRKCCU\FileGrabber\Desktop\ExitDebug.bmp

MD5 99a2f8ba7264933185c8aee369dfda15
SHA1 a9520ecfb92ea89b3432a8471b92128e49ce4480
SHA256 b348698fca9263c51428990503332e9a47efc9bcfc4e7aa5a45ce1c267ce3bf8
SHA512 30d56c86bcfaa3e23c0f3429e9bb2832ebad9077291c3b2cf44466f57e4a97e7d55880d88ed7e7f351da008e682d36285eeaf716c632e6741ac5299c105601f5

C:\ProgramData\SYMRKCCU\FileGrabber\Desktop\LockConvert.css

MD5 3c6a212347c8a065907832adb1811414
SHA1 2761be281a796ce6c34670d12d8d8055b9ce06dd
SHA256 96f18af72d3c963e711d616f6c4ea366a39ce3cbdf330e06a2ef9fa5a8b80b54
SHA512 281bf62fb35e46aa4b672810d19c5dcce4a36064b4e87d6a72fb4566ecd9c48adbdac80e231093338e1ca8026f509fcc4bd6cd3704095219caca0b1081cadb8b

C:\ProgramData\SYMRKCCU\FileGrabber\Documents\DebugRegister.html

MD5 67de13d9586f91411aabdaa7f7c930c3
SHA1 4bbd4b64cca09be942f956ec637a89b4de48b084
SHA256 eb5c7bee2a78bea14b48ec9bd4a86ab2fe1ae4a59f08b06999345d02008c6345
SHA512 66688b48ed372ed5d78e66d257d983e6d049523f8df843c618ceda61bfb42adb3b3aa2afc6e7204cc4965e795c5aec0d4fdace9e8f6e9778757fb650c7639f77

C:\ProgramData\SYMRKCCU\FileGrabber\Documents\DisableSet.ppt

MD5 10c994a4ce5e6f44ccc0a5918055cedc
SHA1 9d0dc01ddab4d38a194148a77ffa089900dcee69
SHA256 6dfccd7ecff8baf3dfe607f519797648c7db664c594948179a60d4f7b19451fa
SHA512 c9b765aa646c27804eb1b28c51135529012ca893552d7bd6ba523b6e32165c836c1135c932305f0405dce239f419a67286bf1cba4337c1b6b49ed3d0e0b92a81

C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\DebugNew.css

MD5 2e8de8c9133d237a8a073a2fff776206
SHA1 30dd9bd9fff33f274317bfe84eb74cfcf72297fa
SHA256 5d6b77d83e89e6e19ae655bbc7837ea0a795b1752dea0c4c1fad0b8d95c1a2c3
SHA512 2c8cc52cd9373569f9ce3ced2c6bf41b95f1ad74eb6d88d52907928f9588920f45a06ad1c5e3be99647c7bed14a468c31be8e11a79439e48487e17fa23606bbe

C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\DismountSwitch.rtf

MD5 09efc3da0c434f38d0c324809186b0d7
SHA1 5dc752505dad98e723effa3727491394658c5edd
SHA256 1b3f970ed052bc7afaa20f5e23a7a57eca5763ea5d9438708a57937ce83b226d
SHA512 16ee2183da5d8c8914ae60cbcf47f87b8274063ff6295df612cbe11735a1de339b54306f5b2ec08c3cbcaeabcd6c5bec0c75ae85c78665e7697ab83bd9155c13

C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\ExitJoin.xls

MD5 bcf592ea78eded349ce491523c28c40b
SHA1 9e38d1d744585907d75a9b61e4e26e2ec4e45887
SHA256 cc40782498ac1ed02f7209a9ed4ef939419de58a3fd48d578912129c8e038d75
SHA512 c77a21b766fe95dfd34e6a0fb0f0c62f3a3656b05cbeee80efb3ad9ddc5f0408b4777f53c0b5f66f32a0a227f947caeac8fa3bbc0d407700a5c025b91918a7cc

C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\ReceiveLock.docx

MD5 cb4786685752796b8e47184039d7e8b0
SHA1 5c3010c4d05fac6a72670d002b2fb29b1d9eea9f
SHA256 cef5125b80d6966043acdf24f5fe79ab155a7e624875f3c5f34985aef4904211
SHA512 96a96822324a3cc608c82d9d1f4be271f7c21978f47f51b3a6b7671593c27c7b36e64eae5034e1341d4f6709d3ad4649e0c8e89bf0ddfa73de26b0400164ece2

C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\EnableSelect.bmp

MD5 e31cc6a064fdd714772e65052587e6f8
SHA1 50b96d29ecabd2d62650bb6e3fa727b15e646260
SHA256 67b6f546cc152f8016e169ad00a37aabd0200ed10d37a03dd50695adc1fbc5a9
SHA512 a0b1175fe0da2c61ce668d505d3897e10632284a302d9f96baca0366fe2af9d84521ca1e171e35ef8fc1e3456ec07939b2ea3e13ea15163db79d580bf7a8a78c

C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\ConfirmMount.png

MD5 bf6bbe18caffe562c12ba028bbd4f891
SHA1 fd7ab0b6d16c90e905a98591ee0cc712e557962a
SHA256 acca5bb42651a543967d68a42db5fdaecf06ad117f583e7940432e714619127b
SHA512 59fd383b232fbf6728f67dfb1ccd01e9459ef09909785fbaae1f93436373204e7a2fe697e492dca80806115117b8724b6d78842a06a1d69857816b1e00c78e04

C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\ExitUnpublish.png

MD5 f02d4ae145c6dbe7955ed29bcf3bc85b
SHA1 bb7158d8a01081093b499d7f29196da7abac931a
SHA256 ab28b0899f3b1a180ee2cecc9d9b844090ee2ce024bec266b1cbd2e1f53e386c
SHA512 9a8186969002fab550bfcc2e6d7132e54353ab2154d39ce7d75ac87882257728a8a6a7aba531cd5ab7800e61e028ea2ed8970776238d3512baa0bf05546ec3ee

C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\HideRestart.png

MD5 d725f4ff05afbb6c0609dc0fc855daaf
SHA1 f9f00396c9c3e79f91c871a2a8a377fc4d187f00
SHA256 e04876417b246c3f86bce43dc4809026c339bc51e3edb4e870049ab2a452aa7c
SHA512 d4b47a48d1c1b48dd0d50486b6d1dec58782a317b19cd7f6ba10e4c0dfc0edf664260fda48be67732b66dbeea87fa526eae129969ee5bf81960d28940300d448

C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\MeasureCompare.bmp

MD5 931fec1b30038c40fdf4c4f54bb62b04
SHA1 79dc738a4b6971b3fbe9531d7ca7dac2826a6388
SHA256 999d3690c1936152ee8f3af961f8e240bf013d56deb8f24284c37c04896ff410
SHA512 0a6a5f01bced5b2c11296397a196944ae6c15f2da39ee55a2692b3e3234ad6b429ce15a751d14adb8d531d51c6e8cdb85999008ff77eb6317b8309b627a61615

C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\PushResize.jpg

MD5 8f967dfb021d3b014e15c55ea61f488a
SHA1 f7e2d1b5c61a87b49df84566823814a609829426
SHA256 6c5d7b7284ab99a805aeb3e0d0ef6198bbf0dee2b3c913a9529a312e3ebea156
SHA512 aa04dc4cc558f836f77352701aef7cf579abf8fe46153523728a7923f04c59ebebdd2cc9394ff66e8ef19a8137242101b5867347e78cb21c04d864dbb3a24250

memory/1164-297-0x0000000074600000-0x0000000074DB0000-memory.dmp