Analysis Overview
SHA256
75bc18011ab2a39bdd97e241ee748399fa0fdf7fbd51a640abe5067cee34abcc
Threat Level: Known bad
The file ProtectPass.exe was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
StormKitty
Stormkitty family
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses Microsoft Outlook profiles
Drops desktop.ini file(s)
Checks installed software on the system
Looks up external IP address via web service
Browser Information Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Checks processor information in registry
outlook_office_path
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-14 19:23
Signatures
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 19:23
Reported
2024-08-14 19:25
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe
"C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 15.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.67.172.in-addr.arpa | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4284-0-0x00000000744CE000-0x00000000744CF000-memory.dmp
memory/4284-1-0x0000000000D90000-0x0000000000DE6000-memory.dmp
memory/4284-2-0x00000000744C0000-0x0000000074C70000-memory.dmp
memory/4284-31-0x0000000006AC0000-0x0000000006B52000-memory.dmp
memory/4284-32-0x0000000007110000-0x00000000076B4000-memory.dmp
memory/4284-40-0x0000000006FC0000-0x0000000007026000-memory.dmp
C:\Users\Admin\AppData\Local\OARDHGDN\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\OARDHGDN\Process.txt
| MD5 | b9de1c3959308ca8ce4b41d11f8f31c5 |
| SHA1 | ed3e4f5ce28c03a70ac67c58e8699ce62d9f9833 |
| SHA256 | 54f5889b99019e5b5ec147484c99b92cb11c2a83d12febdc71a1a4cb07c6cda9 |
| SHA512 | b4d706b03b5aa700d87e3a3efdf2a4355053c16477a54d598f08ddca2af2dfc914b877ec3eb717ae8d418d7fb72b7f3be9a21d6d2ad1eeed9a85b911d93e414e |
C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Desktop\ConfirmGroup.php
| MD5 | 1291734e8db998d3a9581370320efd6c |
| SHA1 | e3655d42aca84d9e562e484978f62854576e927d |
| SHA256 | a1cc1a8934c153e53ba42dbfd03bd1fe1c079ceea780f40d441c19889a3ff859 |
| SHA512 | 404b1ef78325c658b207990b37ecd228031ea24031b1dd030ed06afe03543464ec942c0b8848a59bff25625eb341696bad645be90ca98f9b8c59230f4f2fee75 |
C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Desktop\DebugConvertTo.html
| MD5 | 1e3400d6a285c7046b0286e873bbece3 |
| SHA1 | 0ea79e84a2d849cc207610e93a0dbd52961dfaf1 |
| SHA256 | 5802323adbd61903ad13a2c4d5cf8438544276d943ca1dbbc672c07ad0118054 |
| SHA512 | ae186e97a70cbc2da0525144cb41e4ae01cf20fc177fe8ca228161afd335c5c276f99a04166c8fca64877fb348db4b5b6e1ffa7098bba4e263d6bc488a22b87e |
C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Desktop\RenameEnable.html
| MD5 | 0c1b66f340ecd052ed90de2f65122134 |
| SHA1 | 145a54f79e6e6d6fe63c85ba999486764272f7d8 |
| SHA256 | 35395f12a4655109a0bab4279b9251795f18f601b914b479ab28f7cf6998b61e |
| SHA512 | 4bcfe30ae2f5b87692e37ab79eedcbde6bb368d34bee9193f4c751a2130b29831bb44966c92968394a0e577af679f9bb256ec5f5ad770e855fa89c3082286f3a |
C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Documents\DisableReset.txt
| MD5 | e8f96c24bfd3d1424b84732386619b2c |
| SHA1 | d6902fe1602db76698f0ba6233c28d8cb32be6d0 |
| SHA256 | 005cc8f865b99c3c4a5fc88632b29438dd290e806ed18ca71da472c1d12f01fb |
| SHA512 | 6d3780080b6289f7b3577743f36da8f2e2a1e1cc8840440db1cddcf9268d280c11c5c793d0d196dff9afb66f97b97005f98404b81c6f236624c515f643515d1c |
C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Documents\MoveResume.ppt
| MD5 | ac05b5c3b1a5bff6a7832539882844c0 |
| SHA1 | 2d4f52d8954866665dc5e955934cf08fe40db5a3 |
| SHA256 | e2ea4332dc491decb1af22edf096ba7655bd890692d7ee2317b9f282a8d4fa1c |
| SHA512 | f0e1dcd6a0e2d466aa976636e3f9353000a8a6e91c6c9460f4a7fa5ffe32cf73797e158d21b41425799bc547e83e07e65850dd39340fcf0ce71aee7f3b0a3b40 |
C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Downloads\CloseSend.js
| MD5 | 12c65cdda4fd1cb551792f4bd5c299d1 |
| SHA1 | 9b93d6298f050b9b20d2f9eaa76e4b95c27cf15d |
| SHA256 | 003b201a96ef285c79aed1965c19a0b869d1829b0e2de7f61869d57dca17ded7 |
| SHA512 | 145dfc3067f56cf7cc57911abadfe39f85c99fc641cb695c06db6d7f149bf6de155bbffc6c350215ede7f53c97a92287e9c77230de17cb930c450cbc947eada5 |
C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Downloads\ShowRemove.php
| MD5 | 8a0587542e6f49b98ca645cd37e60eeb |
| SHA1 | 7c8264770dfb1995b94735de9a08c09fc81e333a |
| SHA256 | 011c43379e90dd1d64e4f32de364f6cb14f56048deed637959df3baf759fac4e |
| SHA512 | b317b70d43eff9e2121d36cf6fba0d28863d8188a2a6c31852def228727aa7a51cbc9a01f7c31fbfda96d0eb872b981dfe4ae483200134335229c0698ddb92e9 |
C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Pictures\EnableInvoke.png
| MD5 | 699f442d59ad65152953d7f16e104ca8 |
| SHA1 | 9f2b93e3e0a7d4b8cf69017ac62aa318c85ee8fe |
| SHA256 | a8ee5af25a1a34c37bb4d05a7a6e3c32075ae12edd2b10261c063381ed07655f |
| SHA512 | de288220e5aebe1bab075d8a25fcaf3fd137ea17ae3e0487f6f7553c1490dc4588ab4ed7fde3420cf6e35d95cadb988ffb0308c183b683587f115f859c16e724 |
C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Pictures\LockMerge.png
| MD5 | b7e1de38f6f0f301180634b885aed515 |
| SHA1 | bf34beb7471d49e6819fea8365125a6653c12ba9 |
| SHA256 | 65062b2547ebf178e98e39e0e074f6c5aa4a299c80fb6e6ccff67f0b777bf541 |
| SHA512 | 398790fd7a3b2e19a1e8394fac1801850e200a17b35d48db8fe44900d28185003516b88b10df93e15f259723bc418e664148c9b3d646bffdb5c98c5bcc9d0418 |
C:\Users\Admin\AppData\Local\OARDHGDN\FileGrabber\Pictures\PingPush.jpg
| MD5 | ca6ab6b2672b2a049bef5528d3993f6a |
| SHA1 | b801f548238a4fe8a95605942e981f044db7c7f8 |
| SHA256 | 71492c6923db0279e574928c5a0e61f8d918f969f82c0150c871a05545e55b9a |
| SHA512 | 0377670bd44211aec305a67ca613cc6ce2b0e4a94a6bcd6768e6b6efc8305b566a8e784fd67f6ff0ddc16f238cdbbecdce94f573bca1539c3ff21551668f7611 |
memory/4284-237-0x00000000744CE000-0x00000000744CF000-memory.dmp
memory/4284-238-0x00000000744C0000-0x0000000074C70000-memory.dmp
memory/4284-264-0x00000000744C0000-0x0000000074C70000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 19:23
Reported
2024-08-14 19:24
Platform
win11-20240802-en
Max time kernel
40s
Max time network
42s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe
"C:\Users\Admin\AppData\Local\Temp\ProtectPass.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 172.67.160.84:443 | freegeoip.app | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 15.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.160.67.172.in-addr.arpa | udp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2960-0-0x000000007468E000-0x000000007468F000-memory.dmp
memory/2960-1-0x00000000002D0000-0x0000000000326000-memory.dmp
memory/2960-2-0x0000000074680000-0x0000000074E31000-memory.dmp
memory/2960-29-0x0000000006100000-0x0000000006192000-memory.dmp
memory/2960-32-0x0000000006750000-0x0000000006CF6000-memory.dmp
memory/2960-34-0x0000000006520000-0x0000000006586000-memory.dmp
C:\Users\Admin\AppData\Local\NPCDUADC\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\NPCDUADC\Process.txt
| MD5 | ce714ed04de89371bbc8f1d68bc94682 |
| SHA1 | 1cf1613ea6299098de09113c67d3901d250b255c |
| SHA256 | 560f7ee3ed2fc2ceace395de8be09af90c732cf3831e9f59166ae3d2f0fb07bb |
| SHA512 | aae5b90861a48b00ef268279012ebd962775449dd1de9e14dd26b32afbfc26c93f3039d64f57d1a4547111fb2b7d2953778c7c3905e07edc7cf3b951b36f2d19 |
C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Desktop\JoinPush.jpeg
| MD5 | b2ba33342da479a4beb29b07b046f335 |
| SHA1 | f54d5a0bf0fa0a24cc697ec303906558070fb390 |
| SHA256 | 81e35f1b5d66d97f4c03681598ab54c3d7615636feec61d280e08fc77a64d501 |
| SHA512 | 5875b234145ac72e743d554336070e515ca5cda2bfa7c382eabeb776c2aac16bea8631005d3f2651b834301b9e3b6e2e00baf4c5671bcf32a3e6c6ac7c9b0af0 |
C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Documents\ConvertResume.docx
| MD5 | b1db2182baf53630ada9ab61240de025 |
| SHA1 | 5e3c8c425927c457a8b37e184544f808e6bbcae2 |
| SHA256 | 5a841083e4752d899584d9c0bd762d72c7abbfc1a78a54c08340daea432ae20c |
| SHA512 | aa71facbfd8dc312e52b06d846123923ae77983cefc5640b3ae5b9d36f733da59e6f6b76b34ae1e36957382c9db1f848ca676bb05e1e2c7e2f630e3fa1bacb87 |
C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Documents\DebugLock.ppt
| MD5 | 842a7b61ba1e294e580e91b78242f334 |
| SHA1 | 2630755cbc5be7fc9afd0c49512ee28c530af46d |
| SHA256 | 39d4db9bebe50fe4385098b73c678304977b2328d99de710945605fd5465db76 |
| SHA512 | ecaa1255c953390b291a0e2e667fef30a9bea4858c850dc263499325c4c53cb81d912bcbfd27b90a4c1bc25e9dfa8b4e239ed22b33bb00b6accb27bfaa69e92d |
C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Downloads\AddCopy.jpeg
| MD5 | ba5fc3ae229b3fbb9dcfb48fa288d953 |
| SHA1 | ee405bb7460806615e9c0f74d9bf9ca067d43d2b |
| SHA256 | 1db097456ddd266c70035cf429f962361014cd27e53fc4597a0f4647eaf31775 |
| SHA512 | 53e52afd6b012c823defb74789b5078c7776cf0fcf9e6b557a1128182633c7bbd8ad69167b8b58d0d83f078dcfbd370397dc2682767e2c50d75b07f5ff8d0cbd |
C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Downloads\ConvertToSubmit.css
| MD5 | a740f445183c1eb9a96570ea4c6f3b61 |
| SHA1 | 4983c8f2baf81e43e0012e27526ebac50c62bdd4 |
| SHA256 | b24fd75dd171cb0ac7deff828288b08ae99867516131ffb95435316de0730ce4 |
| SHA512 | b27ea65aa5d82d157c47b7699ad1ca278d8bb809ad85a63b47c66a40979cb21190c49115ddd3090216dd70085354032e4202f966c3d9a8a3ad9536843a9cf836 |
C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Pictures\ImportRequest.svg
| MD5 | b2570ce85fa542b07a0c599a5332e094 |
| SHA1 | c41a3046b70d35ef40bb7c4fc49486ca480f1253 |
| SHA256 | e745149c6bf9137ab07ae91e40d549755f307db212d9c378e7be5c617aa054c7 |
| SHA512 | e5189eca2a3e04d208f9f7743fa4d7cc98872e549cac6890c79de745309ed37af7c21434be8bc0c6151cb4022097a9339156b75276b3cd65fd06ce31fd6d9c92 |
C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Pictures\InvokePing.jpeg
| MD5 | f521b860284736f67bbe93daa418cbc7 |
| SHA1 | f0242f541dcea0c938139a3149255e99a4e38b21 |
| SHA256 | 0e0332da2186f027363b6b5880c4896269ca59fc1d0724cc630a45ec6e0d0246 |
| SHA512 | 549283621769eb7c8d793ba15c5e343e0205407fd26c8901505e89bc90418059532cc979c4d92f9fc90b80ff8e26d2252d48208093c7b5ba37eea5e35e26bade |
C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Pictures\OutUnprotect.jpg
| MD5 | f81f014ee668b6f6725c400a52460a09 |
| SHA1 | f9d48c060da51ab262a597ed44483c21c73570df |
| SHA256 | b5dcb4b68bffdd76b93495869a169087cc61f347a5d2d378b34afae537d23af7 |
| SHA512 | 07fe653ec1d8477caa2fb5756d50bf70ea67519338ca3f8e5ef93d5ce884b0343c22c5c1b63ba6326250de50f51a5b09418c6544b20b1f63522ab3ca40f5176a |
C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Pictures\PingJoin.jpg
| MD5 | 97a1f0e3085693b44c26961d51e9e21f |
| SHA1 | 90cab9133bc51789f1e250ee08efb5013b7708c7 |
| SHA256 | e5e6d0dda6bedab0791d6400c44001da9b6aaf1e202c33606bf99b2cef5253a8 |
| SHA512 | bcb09682e2a00b8dcd8f4ebcd83b5bcd6da9fe0785dc038771f1c48433e6d53230d00ecc85315034d3ef6d491e4ef4467e919fcc8be15d06ac3ef0b39d17f9fc |
C:\Users\Admin\AppData\Local\NPCDUADC\FileGrabber\Pictures\PublishSwitch.svg
| MD5 | 0b0e3bd28b272b15a7678b69e5109634 |
| SHA1 | 8fddf8b791ba7397c2033be8a8469f9709f2f11b |
| SHA256 | 04c0933cd67185f0a6cc66aca1ffe8beadb66e9b19843de67787294b74b6aa2b |
| SHA512 | e3e621a9de567cb7902f72e1302cb1c840a5ef84be77f4121626040a7106aec82a96090a0f1c76eda13c01b3a25bf1ea385a3840b06b7e9e9f9e99b2cb52e4c5 |
memory/2960-233-0x000000007468E000-0x000000007468F000-memory.dmp
memory/2960-234-0x0000000074680000-0x0000000074E31000-memory.dmp
memory/2960-260-0x0000000074680000-0x0000000074E31000-memory.dmp