stormkitty | bbbe89f639a538b804eefebffac0659d5879938423280baa10bf989a533f34e3

Analysis

max time kernel
142s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Size

3.5MB
MD5

b710318c9e53a913b0980d712f545dce
SHA1

35a7fa3ce975e9523db30e0fa336f26df44dd595
SHA256

bbbe89f639a538b804eefebffac0659d5879938423280baa10bf989a533f34e3
SHA512

a43ac36654ef09ea1078a1caaf9fe354cf48b38aac52ff28b170fa197018bcae83471125a143b7689c0fbdca7c08a701f07478c13de58adcf5df3ffc502b6da3
SSDEEP

98304:5AyJqL5ceKpuULlMr/vOU/jIEeQfoR/IuOFVjUu5:5AyJHy1FIF0wu

Score

10^/10

stormkitty collection discovery macro persistence spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 13 IoCs

resource	yara_rule
behavioral1/memory/3044-17-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral1/memory/3044-16-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral1/memory/3044-18-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral1/memory/3044-19-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral1/files/0x0007000000012117-25.dat	family_stormkitty
behavioral1/memory/2772-39-0x0000000000CA0000-0x0000000000CF6000-memory.dmp	family_stormkitty
behavioral1/memory/3044-46-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral1/memory/984-88-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral1/memory/2524-98-0x0000000000DA0000-0x0000000000DF6000-memory.dmp	family_stormkitty
behavioral1/memory/984-198-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral1/memory/984-197-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral1/memory/984-389-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral1/memory/984-541-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0008000000019621-193.dat

Executes dropped EXE 4 IoCs

pid	Process
2772	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
2636	Synaptics.exe
984	Synaptics.exe
2524	._cache_Synaptics.exe

Loads dropped DLL 4 IoCs

pid	Process
3044	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3044	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
984	Synaptics.exe
984	Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File created	C:\ProgramData\VORHPBAB\FileGrabber\Desktop\desktop.ini	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
File created	C:\ProgramData\VORHPBAB\FileGrabber\Documents\desktop.ini	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
File created	C:\ProgramData\VORHPBAB\FileGrabber\Downloads\desktop.ini	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
File created	C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Desktop\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Documents\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Downloads\desktop.ini	._cache_Synaptics.exe

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	api.ipify.org
6	freegeoip.app
33	api.ipify.org
35	ip-api.com
42	api.ipify.org
47	api.ipify.org
12	freegeoip.app
31	api.ipify.org
44	api.ipify.org
9	freegeoip.app
30	api.ipify.org
34	api.ipify.org
36	ip-api.com
43	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2428 set thread context of 3044	2428	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	30
PID 2636 set thread context of 984	2636	Synaptics.exe	33

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1556	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2772	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
2772	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
2772	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
2524	._cache_Synaptics.exe
2524	._cache_Synaptics.exe
2524	._cache_Synaptics.exe
2524	._cache_Synaptics.exe
2772	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
2772	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
2772	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
2524	._cache_Synaptics.exe
2524	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Token: SeDebugPrivilege	2524	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1556	EXCEL.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 3044	2428	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	30
PID 2428 wrote to memory of 3044	2428	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	30
PID 2428 wrote to memory of 3044	2428	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	30
PID 2428 wrote to memory of 3044	2428	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	30
PID 2428 wrote to memory of 3044	2428	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	30
PID 2428 wrote to memory of 3044	2428	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	30
PID 2428 wrote to memory of 3044	2428	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	30
PID 2428 wrote to memory of 3044	2428	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	30
PID 2428 wrote to memory of 3044	2428	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	30
PID 2428 wrote to memory of 3044	2428	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	30
PID 2428 wrote to memory of 3044	2428	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	30
PID 2428 wrote to memory of 3044	2428	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	30
PID 3044 wrote to memory of 2772	3044	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	31
PID 3044 wrote to memory of 2772	3044	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	31
PID 3044 wrote to memory of 2772	3044	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	31
PID 3044 wrote to memory of 2772	3044	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	31
PID 3044 wrote to memory of 2636	3044	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	32
PID 3044 wrote to memory of 2636	3044	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	32
PID 3044 wrote to memory of 2636	3044	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	32
PID 3044 wrote to memory of 2636	3044	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	32
PID 2636 wrote to memory of 984	2636	Synaptics.exe	33
PID 2636 wrote to memory of 984	2636	Synaptics.exe	33
PID 2636 wrote to memory of 984	2636	Synaptics.exe	33
PID 2636 wrote to memory of 984	2636	Synaptics.exe	33
PID 2636 wrote to memory of 984	2636	Synaptics.exe	33
PID 2636 wrote to memory of 984	2636	Synaptics.exe	33
PID 2636 wrote to memory of 984	2636	Synaptics.exe	33
PID 2636 wrote to memory of 984	2636	Synaptics.exe	33
PID 2636 wrote to memory of 984	2636	Synaptics.exe	33
PID 2636 wrote to memory of 984	2636	Synaptics.exe	33
PID 2636 wrote to memory of 984	2636	Synaptics.exe	33
PID 2636 wrote to memory of 984	2636	Synaptics.exe	33
PID 984 wrote to memory of 2524	984	Synaptics.exe	34
PID 984 wrote to memory of 2524	984	Synaptics.exe	34
PID 984 wrote to memory of 2524	984	Synaptics.exe	34
PID 984 wrote to memory of 2524	984	Synaptics.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2524

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.5MB

MD5
b710318c9e53a913b0980d712f545dce

SHA1
35a7fa3ce975e9523db30e0fa336f26df44dd595

SHA256
bbbe89f639a538b804eefebffac0659d5879938423280baa10bf989a533f34e3

SHA512
a43ac36654ef09ea1078a1caaf9fe354cf48b38aac52ff28b170fa197018bcae83471125a143b7689c0fbdca7c08a701f07478c13de58adcf5df3ffc502b6da3

Download Submit
C:\ProgramData\VORHPBAB\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\VORHPBAB\Browsers\Outlook\Outlook.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Desktop\LockExpand.docx

Filesize
360KB

MD5
fb7b179cdac9e98ada4ecb4b7d3ea769

SHA1
900f8a7db8ad6b5eb3ac01d5e81f9c7a9bd87916

SHA256
f9d6225bb84d0f4a34f90672f0841134e0849dfed0c15765da740d09bf0fe2f2

SHA512
10d3b83a68670bea8537cf45ffe35230e7b455e92b7ebf1f70c992a6e7f8550fe177c04f96eedffb88f919863beab99baef9af27999fd9ca9fc618e78fab9bda

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Desktop\UninstallInstall.docx

Filesize
13KB

MD5
018ce1aebfe39e586776c86af8ede858

SHA1
2a3490d7d2ed03a96aead1661cacb572f9185a46

SHA256
c3b18239931670c3459a03a24964625f74532ae69a07476412d7dd53acbf58c0

SHA512
2c2f46ef9cd5e944623c220c30247b8408465e7035a08b3db79b694c7584996dd2d8300e862ae81a159fa9d5c1cd2c23ac5528831da11d5d1b3a2e2f1db2a6ee

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Desktop\UpdateDismount.docx

Filesize
13KB

MD5
2cf6bc717262f0f9b30233c175567f24

SHA1
5dab2928756cd4f702f43d1956501cc1b60b23f6

SHA256
9c7ca6780d7698f10732d33922dcc94f9628dd1811e88c563b77b5326ce58fed

SHA512
cc92e84cd7f6ed279080743186133adfb7a3add3a52359a5aea2586da40838a6c5e9550b8f73f704b486c3275b46f029d476b0e8ea8eff0db042d5e44831b675

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Documents\EditGrant.docx

Filesize
14KB

MD5
3ad46c094b7d49992680d88088cd91d4

SHA1
df42752b68d06e962ea878e4bf6ffc855fb28f9c

SHA256
cc8aae6198fefbc97732ded2c99360a3a602a3243b704590089308f3493c3264

SHA512
8a1869013ac0e09c757bb169e35be99c111e0ae1354bbba3a143eaddd57246e6a17482e9f4b3e9bc613ba39165468cc76d136fe9d7e12ac02ad0c4bf73fbfb2b

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Documents\FindExpand.pdf

Filesize
2.8MB

MD5
394e5bb65a40d6c0d8edf3a127c78bb0

SHA1
960a547db4bdfec3bc5e12e7d7c5d23214be950a

SHA256
6c668ce90085543155025a44e0e606d39ed9752401943408a4d2de0a79135872

SHA512
b5d57e4fe8e465c2375de6d3e07e232760fa7244ebc7c1e617c5e6a3a97256db7611660711fa487d7aa7c5af845634b0b9286ebce6109bc9645540683896cf61

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Downloads\ConvertPublish.bmp

Filesize
407KB

MD5
60839805d41a7ed1379146a21d87240c

SHA1
c3f30c734fbfa1fa190a8a578b0a18d9447d49b4

SHA256
bf229d52fd6fd583661d1d4c62f43d41b474052ddd24bf39dcf76115d6a2b78a

SHA512
afc58dc33be08220d324325c605e7562cb06028ea8369ad934a8a72415c45975f43245e7412b3f224d6041cc39f9481369ca5d9b839b5a3ce5d053d072546fde

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Downloads\ProtectPublish.bmp

Filesize
423KB

MD5
22c568ae4661171ee1d8542e5b3f33f8

SHA1
194e2474d23447541d1a0500e7f1c6a74cb9309e

SHA256
2ae1a309eb0b16d9732d91cb82594d8251a3cb1d917c243709c68d27735048f2

SHA512
d2f1b77a1bcccfb935797bad6235620e6b34ec2f083a59ea63645c17319a0016f195a377d12c4b7c1f374af38f57f2d4281cb78c6ffe45b78b7a5372d3adaca2

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Downloads\RenameEdit.pdf

Filesize
343KB

MD5
30a5a8892e3528c1bfee7d346c9e18e1

SHA1
3dca1c27b3d4ee804ec5f49cc122c2f4ac58d750

SHA256
3f8d65906ddd0ee2f16cf2cfd56c8fa290595b62f544bbba42aaddb93068be22

SHA512
cc975b06eaf1200fbb75945b6f92ad8e1a56ac4b923f35f6bdbb54b8c322e8c394967ea07feb6e1a0d513107009d62623b677e24629f3e89662d025d5a373bad

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Downloads\UnlockPing.jpeg

Filesize
519KB

MD5
34149614b09d1f1846b61fa82ed8594a

SHA1
7e93345b2b61447b5d1b394cd503ab3978d43244

SHA256
a9ef98da94aaa95be0900f6ad3dd64e9c6282b9d8ddf9bfc1274930b69a4f4df

SHA512
d6744b41d04850f81b730e8e6207dc3d0a89f117df7ebbb4e70ea53db360e82aac1249dd9cb86567fa1e889a4a01d7fd7566bbec5a309c20d67e49c79db42af8

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\ProgramData\VORHPBAB\FileGrabber\Pictures\ClearComplete.svg

Filesize
1.4MB

MD5
a76fc264b691d27050c11b387034d906

SHA1
5bf967ccfde555252cfddd9342ce4392635b5c4b

SHA256
fd71aeac21caff08fb82ab12bb885437fa3c6f2a7e9c301920e7148406f15303

SHA512
dc56b5ac10a21ea2d050055a6df85d60e04aa648bc27bb42bd0e901d4dd9b94ab48aeebcedfcb9a692bced35e3488b5b4f5980d7e556de6bf96c659a6e5d6948

Download Submit
C:\ProgramData\VORHPBAB\InstalledSoftware.txt

Filesize
1KB

MD5
196da0a1f32dbc89b3b8ba0f391f8c48

SHA1
f0ff637fb76443adad85bfa1b929dd4280d0170c

SHA256
6d9ebf86f570df9b344ad896c4ebec1ee61ae4074c6dc9bfb3fffb7c1b59c9ef

SHA512
b3f34fdca34021a40e2cf42fa806aec7d92c9b870a782a6268d7ae0115ba33d7bf444c8cfcd0f6537da2a448ea51c37b4d1fe5f020cc2e86b4e0850bde850706

Download Submit
C:\ProgramData\VORHPBAB\Process.txt

Filesize
1KB

MD5
a37a93b816240c9c204f4d846d891795

SHA1
0d99b0bcb909acacc05917b12aacdb0fef66178e

SHA256
8d2af973980a16c11061245f434f690211e7f8b7da0432a5b3a96264a7e1cc72

SHA512
e842df7b52985e6d286a1b995124d5867f6ca4b836685bff8665bfc00fb3757ce7000660c12dfbc00f227b9b03bc7791687a6274afefd822ac4a9f195c283ede

Download Submit
C:\ProgramData\VORHPBAB\Screen.png

Filesize
406KB

MD5
2155e80a73d1dfb40b371546bff22470

SHA1
724640393acf4658e6df464f107606f8ddf33069

SHA256
caa019f8b227683ef6e44f6f80447a3a3a63cd43cb2e143b1dff8a3c71836d33

SHA512
acf11b2333d4d035e2573714708880cec235a251e75e9d9dfe0984064f1d57cc4b574185298807c78fdad1eedeb8a2aff4f6a430a6025b2aaec66aa29f12ba36

Download Submit
C:\Users\Admin\AppData\Local\Temp\25dKmIWQ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\25dKmIWQ.xlsm

Filesize
24KB

MD5
787c6562007832b664a55bc8791d752a

SHA1
de1e90c9afe2625a930f413c83b851fe0c0142cf

SHA256
8bbb951fb899e6f6c69d60af58f7f85cd590579f30ccf39205b62a4a2e279f05

SHA512
14316a23ce732d31cb87f49db9028e3c3e4b714e116482b02c0887445351069c41c902c8ba1e8eac9e8f3188bf257b3f480aca8a1291f1ebc5cdfe36b3b47242

Download Submit
C:\Users\Admin\AppData\Local\Temp\25dKmIWQ.xlsm

Filesize
29KB

MD5
0d9d020dd1029f6bd731843488de4841

SHA1
4a05f52b55e8332ca9b3a493bf4e4f261c74415b

SHA256
e32d9d27859fb23c7a2403833d4d617d5b4e1653e7dd69e2d3ad2de966a8e9f4

SHA512
f131125a0a2db9fdcb2d89e0e89b7366e41c57eb89ee0ae309e21cfc21fd9aed022ce9124946dea55db049fed8457c897a16338be2c8b66a3152d39b160d383c

Download Submit
C:\Users\Admin\AppData\Local\Temp\25dKmIWQ.xlsm

Filesize
28KB

MD5
98a0937ca8a2179cc058d5bc6c30fbd0

SHA1
4388d0bc8cb41d1c00d4109f084391d0e2b1196c

SHA256
c635d879aa8ed9ee3810e2af90dd030801c0419b7b7af8c06b2d9bcb235d5b8d

SHA512
7733cf9a84ab13c1fce7bab0453c344bd58ff8806cf35907dd7ae1f985e7ebf256f6aa001393395bcb2e799f5a2d43f3aedeb69d7cb2b3fc4d99667c6a1895f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\25dKmIWQ.xlsm

Filesize
26KB

MD5
4617bab21147e8fa01406f37934b6497

SHA1
3b81c9ef23e07c62f1faa0e43b3c92ee18d559ee

SHA256
7761b6dae819531782e644bfcc7acfefae522e07062c6e68f6e4c99a678d9658

SHA512
bfeb8fc0823e337125b0f54032c83034524f4611043f86ba579decf9ff26598a5f7e5d162c421f7a667e8fd3b7c63309798cc6ca86a7caed7db985b7ec1a4221

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
4c6b96a63ce26be74c69ac9aba134c92

SHA1
96c525141582bd9be736a1a664290e10dbf746cc

SHA256
0cd0934c0d26e45d6a878470ff659ff53a3800da396065e129c249273a8d6fff

SHA512
719180cd3767657637507e37038f9ff63b652f34e6fc22a82ac025cbe91df2a984cb6fec9111e8894c9a89d911a34049574ef2991aebecdecf6097420111bc52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCFD2.tmp.dat

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD021.tmp.dat

Filesize
92KB

MD5
5a11d4c52a76804780cbb414b2595bdb

SHA1
14c89a2283c41b10ce8f1576404e1541c04a8125

SHA256
e1b3260b2607c6a5fcf91575d1de278deceaf4e5f9f0530a3782c6d9567749d8

SHA512
0bffe811cbba5278d39e20b66a5c4770e3855d1f5cbd45161e8ad304b78da73f555a3c42a198378efab3dfc81f384fdaefc6cbb893a708c7e2649a89fdd11762

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$25dKmIWQ.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Users\Admin\AppData\Local\VORHPBAB\FileGrabber\Desktop\DenyRevoke.xlsx

Filesize
13KB

MD5
db31b25ecc302c4b621e7059e7636a93

SHA1
c20b5b2673d65ae3c84e535a7af1e59e355a5193

SHA256
a3695259c75a0f62b5412d11d582697f4f8feee8fcfd151ef77c198fd21c05df

SHA512
7ef666ac7d49ae5731103ac44e1687bd720d861cc87eb1ac010744f380835e4ba5bdaaab580f1bf89e14e903f77fc3d33ab8c53caef923f43c1b88477eeb89e0

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe

Filesize
321KB

MD5
88e556c4f90811d242975a78d9f230fa

SHA1
fff10abdf2f71f6197d2eeda52822fa549084426

SHA256
d59a62bcbadaea2c0a911e24bb842e592fe5273b15721997034e2e62a0444bc5

SHA512
81b2d9ecd35349dd792094bc46f0b235384ce9bb17ea25478d61d00f552813910149daa774d0a8b4df05fdc43fa27597845387db00460a0f71fba7e37f3407ca

Download Submit
memory/984-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/984-197-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/984-88-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/984-389-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/984-541-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/984-198-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1556-115-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1556-199-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2428-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

Filesize
4KB

Download
memory/2428-1-0x0000000001310000-0x0000000001698000-memory.dmp

Filesize
3.5MB

Download
memory/2428-2-0x0000000005170000-0x00000000052AE000-memory.dmp

Filesize
1.2MB

Download
memory/2428-20-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-3-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/2428-4-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2524-98-0x0000000000DA0000-0x0000000000DF6000-memory.dmp

Filesize
344KB

Download
memory/2636-70-0x0000000000D00000-0x0000000001088000-memory.dmp

Filesize
3.5MB

Download
memory/2772-39-0x0000000000CA0000-0x0000000000CF6000-memory.dmp

Filesize
344KB

Download
memory/3044-13-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3044-5-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3044-10-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3044-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3044-16-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3044-17-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3044-11-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3044-12-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3044-18-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3044-23-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/3044-19-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3044-9-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3044-7-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3044-46-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download