Analysis Overview
SHA256
5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc
Threat Level: Known bad
The file 5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
StormKitty
Stormkitty family
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Looks up external IP address via web service
Drops desktop.ini file(s)
Checks installed software on the system
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
System Location Discovery: System Language Discovery
Browser Information Discovery
Unsigned PE
Checks processor information in registry
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 22:43
Signatures
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 22:43
Reported
2024-08-17 22:46
Platform
win7-20240704-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\PDIZKVQX\FileGrabber\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
"C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 172.67.160.84:443 | freegeoip.app | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2696-0-0x000000007418E000-0x000000007418F000-memory.dmp
memory/2696-1-0x0000000000E70000-0x0000000000EC0000-memory.dmp
memory/2696-2-0x0000000074180000-0x000000007486E000-memory.dmp
C:\ProgramData\PDIZKVQX\FileGrabber\Desktop\DenyBackup.pptx
| MD5 | 02e509acddff1837496e62b35d5c33c6 |
| SHA1 | ab334497da02a87ec601c8486a77d9fa668d91f9 |
| SHA256 | 91473b552aa797e3a4117150b4d9bad9533cb0ee599887b848d360c3646e2798 |
| SHA512 | 69f390acbe9ad4fb308eea3ad82f02e4becc27fc8bae96df636f8b595723a18d10714635f6d23d8048ef1dcd08502dc0afd7dbf27e34677c85941f31df68e92b |
C:\ProgramData\PDIZKVQX\FileGrabber\Documents\RestoreRevoke.doc
| MD5 | d3b89f9f50c55e6baed035a126a46f4f |
| SHA1 | 87fc950f924ab5f9441566a325de07bfb873b579 |
| SHA256 | 4c1248d796852071644b3c6c9120ce336c9e8a35ca65351a8efc21073e5c8f01 |
| SHA512 | 473455f4ae4451f9f16248d6ce1fe91e9bdabb6a7deb160f7681e5e62701df392c1c1e21ed8ff9e18157d59bd053c718cd4f770f37cfb0ac443592a02ea5e159 |
C:\ProgramData\PDIZKVQX\FileGrabber\Downloads\AssertRevoke.rtf
| MD5 | ba9c5572ab05ce028510c5d4b3ec5a18 |
| SHA1 | 622d78d60a6f1e5243f3657b44a8838aa4af48a1 |
| SHA256 | 2ba3add9e74e3e3f5985807c1c02d823abbbc1d40a992643f418fda121d8f552 |
| SHA512 | 378866235dca5c13026d7f562174bf4d2719f24f8be05f16cdd56859c70f194da1c676cfdc11990f4a2c9a190532d4f7618154a3584067a0472c69d8c18ba024 |
C:\ProgramData\PDIZKVQX\FileGrabber\Downloads\ConfirmSearch.xlsx
| MD5 | b7b1e3c2e30a8ab915ec0ceae6c30077 |
| SHA1 | f9a2e4685ee06268e9ad76d535833eef764e7d26 |
| SHA256 | 67ced8833d74fe1bb9ce8b1447b067452cc730f9354f914aaf25548ac1cac289 |
| SHA512 | 3d85e3a9a49913a19284f520109d6a346818cda4661e9b0e36f3a153ed47784b6d947aba843d77ac7b459670ad4ce915bf130ac6687d706a5d2496a9ecec1628 |
C:\ProgramData\PDIZKVQX\FileGrabber\Pictures\CompareConnect.png
| MD5 | 4dcebbc6bd86bc3fc8c51ced6627a658 |
| SHA1 | 022bcc691fa9f3addbc8f04c22d7568fd473a655 |
| SHA256 | 079c2e5a0a7858c90979dbee3b377f652a18e2226abac8a366786944fe1f1bcb |
| SHA512 | e148107c8b26a75a0e179f53e808fdfba4ecb5e043816f370162d4b1615bac4a091e4d7ea8e6690e4e9ecbd6df21554fbec6e21ee1456e94ad55e21dda270757 |
memory/2696-122-0x000000007418E000-0x000000007418F000-memory.dmp
memory/2696-123-0x0000000074180000-0x000000007486E000-memory.dmp
memory/2696-139-0x0000000074180000-0x000000007486E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 22:43
Reported
2024-08-17 22:46
Platform
win10v2004-20240802-en
Max time kernel
136s
Max time network
128s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\SYMRKCCU\FileGrabber\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
| File created | C:\ProgramData\SYMRKCCU\FileGrabber\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
| File created | C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
| File created | C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe
"C:\Users\Admin\AppData\Local\Temp\5ae9a61c6122a37eec8c250790b437a3bda7d2a3995d4cb6e106da6f900c53cc.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3364,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=3824 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/1164-0-0x000000007460E000-0x000000007460F000-memory.dmp
memory/1164-1-0x0000000000110000-0x0000000000160000-memory.dmp
memory/1164-2-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/1164-36-0x0000000005E40000-0x0000000005ED2000-memory.dmp
memory/1164-37-0x0000000006490000-0x0000000006A34000-memory.dmp
memory/1164-45-0x0000000006330000-0x0000000006396000-memory.dmp
C:\ProgramData\SYMRKCCU\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\ProgramData\SYMRKCCU\Process.txt
| MD5 | 67a0e9a92b56fc48bfa1d1d6a046e05e |
| SHA1 | 340dcc7a95818370b2c165d3b6ee6de60d18c851 |
| SHA256 | e1559765cdb7af69be230dcb2bdab45c8f26f6d032942ad157c17d0489627175 |
| SHA512 | cb904edafb1dd5b62a96a413d7c2e38db15fa19d3c5f368d7f9f1a97a372519c4b9cc2c927f29b5738acc362d9e9cf5928985ae0dddb0e914ab5c7ebb56c00ba |
memory/1164-164-0x000000007460E000-0x000000007460F000-memory.dmp
memory/1164-165-0x0000000074600000-0x0000000074DB0000-memory.dmp
C:\ProgramData\SYMRKCCU\FileGrabber\Desktop\ExitDebug.bmp
| MD5 | 99a2f8ba7264933185c8aee369dfda15 |
| SHA1 | a9520ecfb92ea89b3432a8471b92128e49ce4480 |
| SHA256 | b348698fca9263c51428990503332e9a47efc9bcfc4e7aa5a45ce1c267ce3bf8 |
| SHA512 | 30d56c86bcfaa3e23c0f3429e9bb2832ebad9077291c3b2cf44466f57e4a97e7d55880d88ed7e7f351da008e682d36285eeaf716c632e6741ac5299c105601f5 |
C:\ProgramData\SYMRKCCU\FileGrabber\Desktop\LockConvert.css
| MD5 | 3c6a212347c8a065907832adb1811414 |
| SHA1 | 2761be281a796ce6c34670d12d8d8055b9ce06dd |
| SHA256 | 96f18af72d3c963e711d616f6c4ea366a39ce3cbdf330e06a2ef9fa5a8b80b54 |
| SHA512 | 281bf62fb35e46aa4b672810d19c5dcce4a36064b4e87d6a72fb4566ecd9c48adbdac80e231093338e1ca8026f509fcc4bd6cd3704095219caca0b1081cadb8b |
C:\ProgramData\SYMRKCCU\FileGrabber\Documents\DebugRegister.html
| MD5 | 67de13d9586f91411aabdaa7f7c930c3 |
| SHA1 | 4bbd4b64cca09be942f956ec637a89b4de48b084 |
| SHA256 | eb5c7bee2a78bea14b48ec9bd4a86ab2fe1ae4a59f08b06999345d02008c6345 |
| SHA512 | 66688b48ed372ed5d78e66d257d983e6d049523f8df843c618ceda61bfb42adb3b3aa2afc6e7204cc4965e795c5aec0d4fdace9e8f6e9778757fb650c7639f77 |
C:\ProgramData\SYMRKCCU\FileGrabber\Documents\DisableSet.ppt
| MD5 | 10c994a4ce5e6f44ccc0a5918055cedc |
| SHA1 | 9d0dc01ddab4d38a194148a77ffa089900dcee69 |
| SHA256 | 6dfccd7ecff8baf3dfe607f519797648c7db664c594948179a60d4f7b19451fa |
| SHA512 | c9b765aa646c27804eb1b28c51135529012ca893552d7bd6ba523b6e32165c836c1135c932305f0405dce239f419a67286bf1cba4337c1b6b49ed3d0e0b92a81 |
C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\DebugNew.css
| MD5 | 2e8de8c9133d237a8a073a2fff776206 |
| SHA1 | 30dd9bd9fff33f274317bfe84eb74cfcf72297fa |
| SHA256 | 5d6b77d83e89e6e19ae655bbc7837ea0a795b1752dea0c4c1fad0b8d95c1a2c3 |
| SHA512 | 2c8cc52cd9373569f9ce3ced2c6bf41b95f1ad74eb6d88d52907928f9588920f45a06ad1c5e3be99647c7bed14a468c31be8e11a79439e48487e17fa23606bbe |
C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\DismountSwitch.rtf
| MD5 | 09efc3da0c434f38d0c324809186b0d7 |
| SHA1 | 5dc752505dad98e723effa3727491394658c5edd |
| SHA256 | 1b3f970ed052bc7afaa20f5e23a7a57eca5763ea5d9438708a57937ce83b226d |
| SHA512 | 16ee2183da5d8c8914ae60cbcf47f87b8274063ff6295df612cbe11735a1de339b54306f5b2ec08c3cbcaeabcd6c5bec0c75ae85c78665e7697ab83bd9155c13 |
C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\ExitJoin.xls
| MD5 | bcf592ea78eded349ce491523c28c40b |
| SHA1 | 9e38d1d744585907d75a9b61e4e26e2ec4e45887 |
| SHA256 | cc40782498ac1ed02f7209a9ed4ef939419de58a3fd48d578912129c8e038d75 |
| SHA512 | c77a21b766fe95dfd34e6a0fb0f0c62f3a3656b05cbeee80efb3ad9ddc5f0408b4777f53c0b5f66f32a0a227f947caeac8fa3bbc0d407700a5c025b91918a7cc |
C:\ProgramData\SYMRKCCU\FileGrabber\Downloads\ReceiveLock.docx
| MD5 | cb4786685752796b8e47184039d7e8b0 |
| SHA1 | 5c3010c4d05fac6a72670d002b2fb29b1d9eea9f |
| SHA256 | cef5125b80d6966043acdf24f5fe79ab155a7e624875f3c5f34985aef4904211 |
| SHA512 | 96a96822324a3cc608c82d9d1f4be271f7c21978f47f51b3a6b7671593c27c7b36e64eae5034e1341d4f6709d3ad4649e0c8e89bf0ddfa73de26b0400164ece2 |
C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\EnableSelect.bmp
| MD5 | e31cc6a064fdd714772e65052587e6f8 |
| SHA1 | 50b96d29ecabd2d62650bb6e3fa727b15e646260 |
| SHA256 | 67b6f546cc152f8016e169ad00a37aabd0200ed10d37a03dd50695adc1fbc5a9 |
| SHA512 | a0b1175fe0da2c61ce668d505d3897e10632284a302d9f96baca0366fe2af9d84521ca1e171e35ef8fc1e3456ec07939b2ea3e13ea15163db79d580bf7a8a78c |
C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\ConfirmMount.png
| MD5 | bf6bbe18caffe562c12ba028bbd4f891 |
| SHA1 | fd7ab0b6d16c90e905a98591ee0cc712e557962a |
| SHA256 | acca5bb42651a543967d68a42db5fdaecf06ad117f583e7940432e714619127b |
| SHA512 | 59fd383b232fbf6728f67dfb1ccd01e9459ef09909785fbaae1f93436373204e7a2fe697e492dca80806115117b8724b6d78842a06a1d69857816b1e00c78e04 |
C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\ExitUnpublish.png
| MD5 | f02d4ae145c6dbe7955ed29bcf3bc85b |
| SHA1 | bb7158d8a01081093b499d7f29196da7abac931a |
| SHA256 | ab28b0899f3b1a180ee2cecc9d9b844090ee2ce024bec266b1cbd2e1f53e386c |
| SHA512 | 9a8186969002fab550bfcc2e6d7132e54353ab2154d39ce7d75ac87882257728a8a6a7aba531cd5ab7800e61e028ea2ed8970776238d3512baa0bf05546ec3ee |
C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\HideRestart.png
| MD5 | d725f4ff05afbb6c0609dc0fc855daaf |
| SHA1 | f9f00396c9c3e79f91c871a2a8a377fc4d187f00 |
| SHA256 | e04876417b246c3f86bce43dc4809026c339bc51e3edb4e870049ab2a452aa7c |
| SHA512 | d4b47a48d1c1b48dd0d50486b6d1dec58782a317b19cd7f6ba10e4c0dfc0edf664260fda48be67732b66dbeea87fa526eae129969ee5bf81960d28940300d448 |
C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\MeasureCompare.bmp
| MD5 | 931fec1b30038c40fdf4c4f54bb62b04 |
| SHA1 | 79dc738a4b6971b3fbe9531d7ca7dac2826a6388 |
| SHA256 | 999d3690c1936152ee8f3af961f8e240bf013d56deb8f24284c37c04896ff410 |
| SHA512 | 0a6a5f01bced5b2c11296397a196944ae6c15f2da39ee55a2692b3e3234ad6b429ce15a751d14adb8d531d51c6e8cdb85999008ff77eb6317b8309b627a61615 |
C:\ProgramData\SYMRKCCU\FileGrabber\Pictures\PushResize.jpg
| MD5 | 8f967dfb021d3b014e15c55ea61f488a |
| SHA1 | f7e2d1b5c61a87b49df84566823814a609829426 |
| SHA256 | 6c5d7b7284ab99a805aeb3e0d0ef6198bbf0dee2b3c913a9529a312e3ebea156 |
| SHA512 | aa04dc4cc558f836f77352701aef7cf579abf8fe46153523728a7923f04c59ebebdd2cc9394ff66e8ef19a8137242101b5867347e78cb21c04d864dbb3a24250 |
memory/1164-297-0x0000000074600000-0x0000000074DB0000-memory.dmp