stormkitty | bbbe89f639a538b804eefebffac0659d5879938423280baa10bf989a533f34e3

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Size

3.5MB
MD5

b710318c9e53a913b0980d712f545dce
SHA1

35a7fa3ce975e9523db30e0fa336f26df44dd595
SHA256

bbbe89f639a538b804eefebffac0659d5879938423280baa10bf989a533f34e3
SHA512

a43ac36654ef09ea1078a1caaf9fe354cf48b38aac52ff28b170fa197018bcae83471125a143b7689c0fbdca7c08a701f07478c13de58adcf5df3ffc502b6da3
SSDEEP

98304:5AyJqL5ceKpuULlMr/vOU/jIEeQfoR/IuOFVjUu5:5AyJHy1FIF0wu

Score

10^/10

stormkitty collection discovery persistence spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 12 IoCs

resource	yara_rule
behavioral2/memory/4040-8-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/4040-9-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/4040-11-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/4040-12-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/files/0x000c000000023bb4-19.dat	family_stormkitty
behavioral2/memory/3484-84-0x0000000000DF0000-0x0000000000E46000-memory.dmp	family_stormkitty
behavioral2/memory/4040-170-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/1404-174-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/1404-396-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/1404-397-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/1404-569-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral2/memory/1404-731-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 4 IoCs

pid	Process
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3932	Synaptics.exe
1404	Synaptics.exe
4576	._cache_Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Downloads\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Desktop\desktop.ini	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
File created	C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Documents\desktop.ini	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
File created	C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Downloads\desktop.ini	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
File created	C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Pictures\desktop.ini	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
File created	C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Desktop\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Documents\desktop.ini	._cache_Synaptics.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
71	api.ipify.org
73	ip-api.com
78	api.ipify.org
7	freegeoip.app
11	freegeoip.app
26	freegeoip.app
69	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3728 set thread context of 4040	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	86
PID 3932 set thread context of 1404	3932	Synaptics.exe	92

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4504	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe
4576	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3484	._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
Token: SeDebugPrivilege	4576	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 3516	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	84
PID 3728 wrote to memory of 3516	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	84
PID 3728 wrote to memory of 3516	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	84
PID 3728 wrote to memory of 760	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	85
PID 3728 wrote to memory of 760	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	85
PID 3728 wrote to memory of 760	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	85
PID 3728 wrote to memory of 4040	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	86
PID 3728 wrote to memory of 4040	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	86
PID 3728 wrote to memory of 4040	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	86
PID 3728 wrote to memory of 4040	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	86
PID 3728 wrote to memory of 4040	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	86
PID 3728 wrote to memory of 4040	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	86
PID 3728 wrote to memory of 4040	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	86
PID 3728 wrote to memory of 4040	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	86
PID 3728 wrote to memory of 4040	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	86
PID 3728 wrote to memory of 4040	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	86
PID 3728 wrote to memory of 4040	3728	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	86
PID 4040 wrote to memory of 3484	4040	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	90
PID 4040 wrote to memory of 3484	4040	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	90
PID 4040 wrote to memory of 3484	4040	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	90
PID 4040 wrote to memory of 3932	4040	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	91
PID 4040 wrote to memory of 3932	4040	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	91
PID 4040 wrote to memory of 3932	4040	2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe	91
PID 3932 wrote to memory of 1404	3932	Synaptics.exe	92
PID 3932 wrote to memory of 1404	3932	Synaptics.exe	92
PID 3932 wrote to memory of 1404	3932	Synaptics.exe	92
PID 3932 wrote to memory of 1404	3932	Synaptics.exe	92
PID 3932 wrote to memory of 1404	3932	Synaptics.exe	92
PID 3932 wrote to memory of 1404	3932	Synaptics.exe	92
PID 3932 wrote to memory of 1404	3932	Synaptics.exe	92
PID 3932 wrote to memory of 1404	3932	Synaptics.exe	92
PID 3932 wrote to memory of 1404	3932	Synaptics.exe	92
PID 3932 wrote to memory of 1404	3932	Synaptics.exe	92
PID 3932 wrote to memory of 1404	3932	Synaptics.exe	92
PID 1404 wrote to memory of 4576	1404	Synaptics.exe	94
PID 1404 wrote to memory of 4576	1404	Synaptics.exe	94
PID 1404 wrote to memory of 4576	1404	Synaptics.exe	94

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe"
  2⤵
  PID:3516
- C:\Users\Admin\AppData\Local\Temp\2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe"
  2⤵
  PID:760
- C:\Users\Admin\AppData\Local\Temp\2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Users\Admin\AppData\Local\Temp\._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3484
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:4576

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.5MB

MD5
b710318c9e53a913b0980d712f545dce

SHA1
35a7fa3ce975e9523db30e0fa336f26df44dd595

SHA256
bbbe89f639a538b804eefebffac0659d5879938423280baa10bf989a533f34e3

SHA512
a43ac36654ef09ea1078a1caaf9fe354cf48b38aac52ff28b170fa197018bcae83471125a143b7689c0fbdca7c08a701f07478c13de58adcf5df3ffc502b6da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2024-10-30_b710318c9e53a913b0980d712f545dce_avoslocker_hijackloader.exe

Filesize
321KB

MD5
88e556c4f90811d242975a78d9f230fa

SHA1
fff10abdf2f71f6197d2eeda52822fa549084426

SHA256
d59a62bcbadaea2c0a911e24bb842e592fe5273b15721997034e2e62a0444bc5

SHA512
81b2d9ecd35349dd792094bc46f0b235384ce9bb17ea25478d61d00f552813910149daa774d0a8b4df05fdc43fa27597845387db00460a0f71fba7e37f3407ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\4AC75E00

Filesize
23KB

MD5
5788fc6ed7ca40f775c6c7ce9b1f6439

SHA1
13fad898da4fa1443b6828a846b21b897c800361

SHA256
1bbaa833e5c5eb57f81b73587caaf058a8bca10a8826146490793ded9850b3ef

SHA512
4efdc663ab1d5aecc98be221cb6da54cac5386a4cffe0c6dda28db48bf4782af2e12bcc91a475a04b94ab85d6032382db074826a05379b179b6f7721d05a7fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XbAo8QVc.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
ddaffee708f22a13d50fe4cf14cf49d9

SHA1
16a3a568ed44926aeff80727aa23f67f70d5e571

SHA256
56d4aaee3d420e8f4aa59e4c3becb04308e217675a838553291a899e29be02c2

SHA512
8afd7e846ae2d793c6a8cca93d9255622db2cba5725a0505b680366698401cbc3b175dab1a0218dba5e3aa6480f2a6e0625c07a9e0a3959ad624462220f64244

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC22D.tmp.dat

Filesize
114KB

MD5
e3bad5a8407ce8be2e003acd06598035

SHA1
a6bc025a692ae74493b231311373d214b72fd9b1

SHA256
29a8f30850aa6f08ad492c71594de5844e11ab1a9bc4b8e0432b137fb8ca2d69

SHA512
cce663e7318c9a9723a676e100dc77c47399f3ca3c25729781eddd4c63e7797c93ccca34c49a0eb725806691ffbec2699dd7d450f14cbbaeff8a3bb07a57e082

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC391.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7FA.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Browsers\Outlook\Outlook.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Desktop\DismountAdd.html

Filesize
812KB

MD5
015da0a1faa7d27e269a454a09209aa1

SHA1
acca5a06f73ba97312e0331f021ad6f13457486f

SHA256
ae42fa5f7b923708d7a8693fee86ae6d242f642b2e4dc45a96ba8fc8f4a41dab

SHA512
8c8808875e6acf4e936d2fc70c7d9dcc89ce53b648ada705421f6bd9844b6ef58e2a1eb6bf7fd4484b77a166d11f720366208963203eb38a8e11052990a2a289

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Desktop\FormatConnect.pptx

Filesize
575KB

MD5
40e89e6b5068d12340982b9828d035f4

SHA1
2c2b418efb095560fdee5ca77c77118b087e7899

SHA256
6d3874feefbf0c3d14c2177b516bff9c6494679a847bc592038c5f6597396b98

SHA512
bb762bd4260cbd26a87f54745ede14a2da8299220a1343544bd94876ade3806163c7a152da6f50bbec3e5924dfdb13c182ec0a86b5a1a19baab502ba23227423

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Documents\ConvertBlock.html

Filesize
540KB

MD5
7240a44ab698b77aad6ee69a0777c2c6

SHA1
c72177a89daca6554b6a9e5cd91531320fd6cf47

SHA256
a415186359b5cc0f97a0cc2de908378c74d6e35e8226ba2b0cebe3703950f3be

SHA512
d0bba73066282e82927c626910d623f1e9e4d6a2242237ef144041dbac525d427cf861972bc7efafeba44c2df009c7364b90a7154c7f6f52e532e0a37e7e5825

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Documents\ExitSuspend.xlsx

Filesize
1.2MB

MD5
324b969e7a3441f3db4fbca4862c38c7

SHA1
ee9c381de829fc29e3aeeb8e7a314857e72531b4

SHA256
8b5c99d88b472c0188d6b20b66a155f0b9eccf5c209d8b4eb946c7ed45219d2f

SHA512
a7deb21fe0d21be1b119dca4329630e78b1da82b4ddb79138b74abfadb25b0bd22e8116c8f82ba4d79e634664cc1cdf894456cd6e3f46afe91eff51b2cdedb0e

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Downloads\CompareFind.php

Filesize
494KB

MD5
084d292e858396dbe6165cb27dd9a366

SHA1
3a795abd47100fb20b2ea49ff2c4ba7317d26b78

SHA256
9b6e304232a189793cd028e79ea41005e89981c274bb2e9517999b9834c65274

SHA512
ffc04604d63fe5e2dd32ffcf5e543cf22c027c2564e5ce950882eff530a87c7710ae2a37b13905d6126e6c83df16c37696d7a99b528bd8016d2d3a838c22fd57

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Downloads\EditExit.pptx

Filesize
331KB

MD5
8c497b2024e10d225ba2a8fb8c4a1fa2

SHA1
a90d3ef6658d498009b6bbb796b27109f4b9e71d

SHA256
4dd695a8d112adee32ffa031feebf46fa01e199532c2382e19a667b9d421257a

SHA512
bc9b2c2acd17113c06a41dfd2804f500308fa00565259c199fc35ded267ec3b3411afaadea9e814463eb65de203f776972dd8a7e7508eb88957f05a3052258bf

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Downloads\EditShow.pptx

Filesize
461KB

MD5
ce5f98f5a24656d3c3534e03ea203f05

SHA1
2d9f940316e814040a00cf57ebaeb6d669570463

SHA256
03a98e368bc7e05b12b19cd6d8fd9d048dcad648abbae3e9b82738c16fb2bd1d

SHA512
a57025541354258a101f923fc0a07df6bf8883ffbc14888027791cab02e9e73b0412d871d1b647d324b62e1dac4e4defcf61f1ae5a1c6a42cb3b9a3fc54fa1c3

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Pictures\CompleteWrite.jpg

Filesize
259KB

MD5
72d95774471a28c546b646d7c08e2e86

SHA1
cfa7c1fe693ca5a26d0104814059d3ced3e98cf1

SHA256
26fff3b214ddc1221a356a37fc5f25733fb47e3a7d417b3969de9ddf185abcf0

SHA512
949ea507a005c38c060f2f5f4490939d156463aada1a0aac286d4f89c6a8b144a9ffd00d0ae78416ae20f7bdf136fc004e618739021108f952f555369068bb9b

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Pictures\GroupLock.bmp

Filesize
275KB

MD5
6029c917a0350af7383abe6456889280

SHA1
fdfa64fb51b7c94bea3ddc4d618b66f715ca699c

SHA256
fbaba81489bb625c9a71732fbc599b5782b95ef635ed9fadd67956ed9321e70d

SHA512
c2513ce71534505978a2d2e3917a87d66eafe30bceba31005cb05f39ad71af81a405e20e8e08acc94216f15cff75d3de54201635754a76a436ff5069d28a19ab

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Pictures\GroupUnregister.svg

Filesize
415KB

MD5
4ec2e130bdab2f188569a7e9a03f6751

SHA1
b1ff6ddfe240b513f5b7877cbf65a73e2679a941

SHA256
4ab0adff8c1277bb0dc6d0e8c474e3dce4b617e24ac102b3634e7a0527850bb9

SHA512
bac6222adb3a30b282d5879da681bf9f9dd101eaf34f41c3ff8ff95b5776abb296cd26dc025952b02eec0db325e1daff7fd7255d7aeec20c11ae56377cf06602

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Pictures\MergeEdit.png

Filesize
218KB

MD5
97b9cdc7e79ce5e9a62cbeb466a50551

SHA1
0e1c03be3176dc0631d87d3885f7a8613aff65a6

SHA256
ecc518878f3ee770c29f313b4c48c60c5b77b8b0468c64d07e1e70e1ed4c6371

SHA512
bd31fbaf1948b16ba8085e7be8d88c1ff4efc5c739b39e8a799334df8daac270e17315e68eec4a559ed0a73362d85368a05074fd248314c656177689c9c3530e

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\FileGrabber\Pictures\RestoreJoin.svg

Filesize
399KB

MD5
cc0bfd14f993c0cca80319cf42481992

SHA1
a00c7ac18101e09c20fab632b49fae4cccf26f55

SHA256
c382ac2a6ad1316eed780f016febde6b6637811b1d586bbc69f0d661e2da9934

SHA512
ce478fc6e5664926e7693ee3ab90dd2f34ce5c6ea7b06ddec1b7d38a92c2883e44f987e6900132565f6d630c32363dd69e123eb19e842d9c15a33f5621ac58a8

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\InstalledSoftware.txt

Filesize
1KB

MD5
bca4ee4b0d73edf2835ac08ab38d1bd9

SHA1
a833d7663f5edecc050b37b7efd1d563268ea0df

SHA256
0face1d1c4bdf8e8f16c7fe99e2a6150cd6f60dc20396214288a585f870f3e5f

SHA512
48fa5f3b545f470146fee34c87b7268eb09ca7944d8bfea9e9fa2a14f4f934ec3b91ae4d302f7248b797bd5e0562b8a567f5ca3bce241ea8c3493bbe3310bce2

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
590B

MD5
2a8a70337a6bba093b65475003843230

SHA1
ce70066521285d95648a299df1a1cf5a798d0f5f

SHA256
548b1133bb3126402a870b921e354a1b90c431892756bfd9e265b7f3b403e191

SHA512
cfc13229476d598828cad31842d89f9535a78d3fd78fe92ea1c6e8b015a6936b2e84393a94ec67b8ae1ec2698b580025d30c72ca7839bedb2e45aec15b79a24f

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
1KB

MD5
d3e4588c2b6e601e1d19c10769e146f2

SHA1
28a07dab1ab5143b08851a536a57c5ffc6073833

SHA256
ea9c24bad571c376c3ce510c894335627c488e9f4ee1f21901e87fa054adf30a

SHA512
94bb4151df86b0cccaaf3a678b28b36c097bb8f3285a4f4aab3ddbfa73a80ff87ae8281da9a3db006cc43fc04b01af47fb7a2c02483ad360d0a20346b47db336

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
1KB

MD5
b1338906593df5e70c8addd6ecddd6d8

SHA1
ba8a95ffcc3e890a206b6b6e9e17974ff222fb1a

SHA256
25d4035b9df809218e9820b20913cbd477f66c8d148459fe41b18e5a8af7c9b2

SHA512
e9451a08c8d355b259cd1102fa812a8d2e2a76d0d1e5d8f7d245f90f30276a31908e355e8db9d14b1a588544f6756dc3a49172cfc7e16e1d976bf6dc5bd8df16

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
1KB

MD5
54dcce2085547cfeaf51aa6d7d35afb3

SHA1
fd85ab89f96ab426e65908168d78b2682a962e34

SHA256
210fc27e16d6a1c288895343bfc06a9ce70918afe577d430dd2f6ecc76894b27

SHA512
05d7dc817135f0d6d18a0843ae09cc4f9198bc0c956b81cdd1aeef34aaa1c47ad4c1f32f989b8e7ebe012d268b4dc66a2c30f316135fe6064c6742c9bf64c4af

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
2KB

MD5
db0eae0d73595fa51c741263c95a10e2

SHA1
51930e0cdce3383864589270e2903e356623632e

SHA256
9c8730a456d24fdf9dc2807aae913fb12059c4e487880d29f6fb37f6ba9ffe4b

SHA512
d7d2b473e23edf40ed05c8d71e052210aa58958a6a43aec233b16dbe9c5d91e3990929743171d2e32fe0927f7080a42329bc221de4115105c3cc4279bb9aac2e

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
2KB

MD5
59a49f072949791446f6440412ef239b

SHA1
1afdf9444c2bd765544dba3c45625bd59fbba90f

SHA256
9319c7c14cd996b0bc4e45c8ec94364795f55460fa81fc3dba0e076c6db93749

SHA512
647de7e3017eabe6fb9d22f8c5be9492d201b1018cde26105f7322ee48002328b24a50de39175894d1a07551169cad393d18453ee3ee6ee5acb986a3402df731

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
2KB

MD5
ab235f8f92c8d9a957dab5317363c520

SHA1
a257e8082fd1cfcb5610af2f1fc340cfb4e596ae

SHA256
9b2bbc1eb886a023204f38720a0f780419a194ba1196492b86dd87464c3fb61f

SHA512
a6a1635705c7b3f181f9335c5fde14e63056e5f76cb34055fbdf044e5484e9a535fb9632e8fb500f2f6bc85ec8399ef4d6af4037e7d7a5387f090812264fdd4b

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
2KB

MD5
401db49953fd68e5be2a9c84bf4cd39f

SHA1
941e0dc5ba497ad38ff05d5931f0f91a9ae48678

SHA256
b3ed19235aa99139ad233108f558df05f75e566ace9dbeedfff11f43373c3aaf

SHA512
699402db476c52e7f213f09d141fd3948f11d880404d251a96e8526c87727c877df97d0892ec044e665f73f3b1b5357c78f68a9a2230d88fc222da07c304a1db

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
2KB

MD5
7e14fc5ab347a069eac0d63da1bb238c

SHA1
ff29b0c535194ff701a5653f257d7d19098f0e6e

SHA256
2d4c3d8a64a104da6a292841a482d4f24712a92fe5a4db7d3f4d6f2f9296d1bb

SHA512
13b3176a8e63a7d1fb25a9bd56bc9a8326a1987ed300b304126edee4db932a21d992ecbaca7c9ed912b08dd0f8c1d34fd312ba0d861c0f4c2af62accf76a409d

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
2KB

MD5
57b609ef967905fd95d5e57a316843f2

SHA1
1bb9b6fdee412ed8e5e5f9a0365dbaa25e4c0980

SHA256
66cb7aa472a366cf5fa97b7af10816ca1e84eafe648cce2d25693c9fdb4cffba

SHA512
56fa8c63518113132367f8d872fa2c9a0659a49fb50ff9bbd05f7e4550297afdf370dffe0b5b8fa96fee53c3b3c4ee14e16d420e6cbde276c4d5ffd71529ad94

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
2KB

MD5
845980910c5a211b6ceef2ace8c39c8e

SHA1
6d3893311b8c72135d3872c9bf50223c55f2aaf2

SHA256
7bc14f73365ba0140ef11275acb073d218bc909c395006e74d3a1ae49fc69191

SHA512
54ac1bf54776fb440ed3084c06383befc7b7b5281fce5d62af15bfb2fb99255d4fbe0541bd2e4689c3cedf4ef86efef8b6dc00af889787fea23ffe7992d232d7

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
2KB

MD5
5772fa62ee59e216ee800642f7e13bdd

SHA1
9c45667552748c7c9f7a86be244614b382a3b433

SHA256
9ae5163d2e27ad9fb74c7d13b0cfa2e3a680d75a3e0ef37ea21bba8434ba30f7

SHA512
7c4d053609d8107a4cda7ef4328b55cc892e5c4b1c033354d10626f9dc6bab340955c5d02487a80ffca27eb1b5feb92432ba2b7a19f837c0c43202257218c258

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
2KB

MD5
28e3796a2888bcf7a393ae2f14e2498b

SHA1
fa25bb52738062cf3517791c53a74daa99e39f5c

SHA256
3ee06439f55bc84e41b8fb62dfd2877011d4ce38f6bae1e904f923e1667c72e1

SHA512
5f8d78070be8a1fd15bea05613459aed3ec1e5f6a308328faf847f0493c1bbd8d86652c696791ec1fa914e26f98773f1efdd46ec6bc0c9aa9ef07188579ef2d1

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
2KB

MD5
2da362beadce1794e63d17a599f4b158

SHA1
cab72a826ee3379f86e3c85fd1256e1bad0dbe55

SHA256
a10776ac7dcb73a97d5c4d269c5fd1107f7fc39055d0f4f7407daee507f06799

SHA512
a60aff795ec55e834b73aed4569ea422313bb5ccb67bb9ddc65bf01f36cdd38b63c84c6cc4af81b7a207c6bb5d35d1d8fa5709ec16c6ed75750abcf3d777a79f

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
2KB

MD5
db62290efc66cc4ae3e28df893135b3a

SHA1
81b9b8cfd127976f6e66817b052522e4c3831e07

SHA256
f0b130d579979cbb7fc15e850d08de7147a2a68782fc3134e919e618fad1a95b

SHA512
4f969be6bf2cc293e2823cd1683a7c55eb333d9e44bd936fa15e504210b7cdabbf958be44ce8bda53eb651626c635da4c2ac794161abb9a79eb2604a58b62e7d

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
2KB

MD5
463fa37031e4305234466def16cb1369

SHA1
7cc5ff311bd0990acb2a7fbb1f54506fec187ca1

SHA256
2b9d00602fe0a9a2731abddb33d5b0ca534d9d6481136a385ec03b3300aa5de5

SHA512
6294ce060eac074ac142639098cb4c19b7e12535b4150e4536eab4eccb4f1e7bf80041a259cb4a524a77ae8d49ecca95cb4498ce273d345412d7c02fbc9968d7

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
2KB

MD5
e895cc196dd6f970a9483a5dcdf660de

SHA1
697efa4a69cfbf9ba9344e0b63da59674d1207fd

SHA256
4a8243f035c5c70795c0fd64e373a97b2e0f092f5382b0c86af683c13a571ccb

SHA512
25ccaaf1caf090f859b57f5b1affe71f17dd9ca62c309f809aa645768536d29ddf0aee80cb17d2b7d20e74778e3c0f8c6f968a2d76f7cea19cde3b0ed7b8a4c9

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
8467e2502939e47da14a0c1fe42da927

SHA1
1ccd83504815987fa63d299c039942baf9bc0681

SHA256
a6bb5e11f7d30b269295b9a70fdb651419c21a6c13a4452eab26a4937b8c1673

SHA512
574eb6e3c336f13d5c978818cbd8bebd5010fd48a180635b162626097de2e41a2f039052eea6f6ef55eb741f243991f4c696ddcce1b632270db21f33bf7ab194

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
02b5fea14bd3f2c391fb492eb41e5aad

SHA1
18de661c1d19bdfd7f1b16e626a781b535d45687

SHA256
b39de5d6ef8f5f1767cbc5b291b08b8da3cdff884b6483078e04c68a36269fc9

SHA512
701550eee2165f8b5856bdf0ab9a59666b7c1867a5bec12d99e4a9acd1a315f8367efb64d1f97d6546b683d2584c0ca79bc3a43db122e9ea450f7ade126ebf4a

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
8626f055b975960c78d714deee6580c8

SHA1
58dcbaf7a2f768f9d65e1702bbc3ff8863bd2c32

SHA256
42aaf247063f6fa9739554742ae57d58a2a81e4be2f96727cd18660ac45e9466

SHA512
71ed212cf0c02b894263f52c828ee5e6ee2b8228016b229ed73ae31e433462c063d67596b4c8afdd29ae72e0efc2d8fcc85a4eca7080d7159590eadfde45b2c7

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
b84bbfc1055ef173c311c47736c478d9

SHA1
b457245a1a95885508eedac4327a1d9864cb1d55

SHA256
74dc93fb0e19f1fb9b51683ee72df0293381c6e1260c714125d672c6ecc80c9a

SHA512
2eb1bdf6687d5c8ed75bf496bf73333fced4bdfbbadc5dbb70075c7b0ad9b8a75da06f46bd626b326928057330e8bddf290fbd70c1bac130112daa1ab2acaaaa

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
9ce7a3e2eed00f024f6578db9bc6b2f2

SHA1
77b7b3de0f0887c930387b306798b20a7fd6f9c7

SHA256
0558d3c8f1d27b1034c4befef17126b8fa11c9c357c650cadb6f827c06200d59

SHA512
2e7f09cf5f18efc91448ed5eaf1919b84f7cc528b7c2d964702227ea4cf1d4500dd6801ef1a6348f1f1926420cffde907085b4272bdd23536263b94aa791638a

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
51ad263f7236049b52e5c89e0af67ed3

SHA1
40fe0e45b2cabfde1342618b9eb21b56facedeca

SHA256
afd9e980e75d30c269eecd3bebb11dd2b399db5e3802051495c46663b0d81373

SHA512
2325b017351feb8aff51d9935b89721607de29ce60949c1cb713a09431e9e51becfa1781cc47c59a1cd5da11eeafd8f92962cbf413096085b41075cb637ac7f8

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
c9a274c9507023294e6e822ad69a38be

SHA1
a08ad1ff116af2e2b823b72d565b4b355d955318

SHA256
eaafc532ad8a07fffb18b65d1fb93e5d5996713b148db04826b50647f72e2a60

SHA512
c2c1c2dff4ff5ad395c64eeed9394924a08a98681d31b24ea6164a6518966f96ecb13e6fba06a7eb4143e7beee57b191cbf8763d138b5293ff62963721906e40

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
30af8d987d0a2f0feb8cbd94dadbaa9d

SHA1
9b30096d7bc676830a319b983b5db4efeacf041e

SHA256
b7658a91c8537d07e769dfb0c54276bb3d432ada85bd5a5b3af42bd940b804f2

SHA512
f93f30749f60ae7e02863ab93dd69f6d4374c7cf5589c6e0446eee7e4c8a9bd809af315ee4fb9dd496c3255326ce01e287495895dc6fb4e470ebf75c548bb0fa

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
443f0e5e872369b5b1c36203c6dd4db0

SHA1
ff354717e50ab7e613a8f17e3b5a0fb39b5b2a38

SHA256
8371a9d1eda1896ce0e12681c7ae4df25665d9627dc021aebba68709c01b1f00

SHA512
5c7fd014f3c94a59ed58d90cde53f41d8db3420e562ea5c14df2fb8dc8b30872283c2a3a65c50ebe231597c572d486a60f434a6dc346465377e6dc5f34ff3d0b

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
d34a996223b197934e8524ee2b43ef19

SHA1
6897f7b40b4094680fd5102e27d21facd8942857

SHA256
613d4e9ba200b0008ea8cbd68fa5dce0fbfe735dd20bb9a8616ad42e2a3cabd6

SHA512
5e0c2c77454f153fe0ab736d9076d04fee9db681cb814cbe51ec8c66372b85bcc9298c405dbd7d235fcbc1b792ea5c130d39d266eb06e510e994b004feebd673

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
a43fe3ab6d50bf9fea0c75f0d6519acf

SHA1
f3ab07ffb7247633a117026c4d0e6365f730ea39

SHA256
101cbc59413521ec8902d0aa1cba9048c94f5d6655f46fabc791045ca9f99078

SHA512
2d43e615ac4436cc4ca0e2fac541ab9bd460416d15a1abb72ba5e7c54785017e3a0a8304e434be3319b2ac6669bec8b2f620b9af6e55d388874f205cbb8a16ae

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
45a28e919011f514b0b7c262cc9d7639

SHA1
9400c80baab6f094ffbff5afee1aaf4d752abce7

SHA256
2009739863d513aaa13079e5c0f2e66ec9aa6eb400e7ad44eb971d62312ed418

SHA512
1b5e5bb17a1a0b3e91e5553f09fe1f5eefcb18a9adaca70791b8195b6a39661565c1aceee6bf87bb4e98f124d6dde291a3e2e9ac5f103ee753ce5fcf7a6289ec

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
0fdab322542be20fd7d4a5313139b91c

SHA1
d7fc5c1a5cdd5d96c1cb2acb8eca58d4c384c4e2

SHA256
96a5b1d2135a8f7e4557009a6afd2d3aa23c3b26011d3f59bf634b550d3bab99

SHA512
979795f2347b1bc99e7e9dc77364174c6a64a61f67ecf30f68fbf21afbb113357db3b0b15c64c5e9562821ca9f2682cceb0bc574ca1b375c98dcfaa857fbc1d5

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
2cf3f005334c9e7f05f60f6c95be4871

SHA1
1453db09c030610949caec2a3c1cfc4d50ef4bf1

SHA256
41238be670e4a45f7010a03b01d26af86f6ad191ca91a9ad10cf7085292baa85

SHA512
3cfcc3a99c290c9f12e08cab3a80e70fbbf09359d7dcdbf57c698782a396ea262b74c17bf805923158cde102868ca309eb622f034089e3ec09b37591daeddbd1

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
61f803f7ee7ee02f9f40fdf7cc347c5d

SHA1
e07750511e0fcda59c96efb1d9a73467d8adc23a

SHA256
564a9501ed066dc96e58fafe5a8f4d80c71ac1eb551d3488cadd297d89b9aafb

SHA512
3bb14b686e08f48d5037f22937f1b3dcee90968b570395bfa639f6e4497ff9e8158cd9de8aff80a3357a23cbc2945b831168034983a7a2e4f2b1532e3eff413b

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
3KB

MD5
fb86e5a106cfb6d4642e0753d7dc0741

SHA1
6e80a342fa97308673369dc6e3fad56974ea5697

SHA256
210af6f75551eb6fa681e5fd594a61595783beda9211f3f6eb4e3cf93d455bf4

SHA512
3b0beeda7f206f02d0e256e5fee29357956464c52e8ca17b644e255d1d591760bb56a8064de0af74af7f3d4f84b0a65098503fb3adc5295d5ce4a46db1cc26ac

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
4KB

MD5
549da6d57f9990a049c0d1da7092098c

SHA1
bbab9be4c6405fbb44a1f81f22dcf3ff5c19a7e4

SHA256
1a9327fe37dda13c626c3f9b203215b74db9583b57d60d5e3eb93940e58a3b13

SHA512
c0468df2102045fc3f280a9f5a4646767f82902c2c35e43314703ab60e7ac0b37705ebbdd43678f0301801d0622734cb4956cf533bf1b84ec7e4fc881d3cced8

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
4KB

MD5
dc03cc3984270dee352294100ad3ff62

SHA1
3948ef275b81b8b7aca1f22f9a3f25e1803152f0

SHA256
f7e8b60e6e786fcb20aaa2f7dbd2e96359b22eb66ebc16fe86f87ba1a9fc66bc

SHA512
f7c2d486f1d08b0fe09b256069122335c0b1f4eff9895ca1a84a17d0bcc06c35d6198a5092c6aa4bbb7b50f661255493af3be6538f64ff76e4b4ea95b871362a

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
4KB

MD5
bf6be613c4f30c5507a7bd4a2a28e045

SHA1
9c30c8a74b58ee76f400858542aab0602461a6c0

SHA256
91866c4bbe3949fd37fbb40923924302fc4e6f92658132866f9f1d030b4c4685

SHA512
668fa4fc18ec42afb2fe83b36b75783e5a448b53313ac903370aaaa77150f7506e44cfab569d5b1d8ec060da66192643505983c1acbe3ecd4e2e8ae349df7386

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
4KB

MD5
02a67b9cdde199385d10a3462e807651

SHA1
6e4ee7a78c9e63836c390ee26790df0ad2e3dc0a

SHA256
3782689bace39ff428ae0ac0332b2b38b52959f196e1d1c289bb1d562bdabec0

SHA512
8afd1de167f042452104b9c914da5cdba494850927615b162d95cc012d3615fed157ca281bbf05eedfaa2d86ac00e00e9892b44ac0605c8e56d8400532e862bf

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
4KB

MD5
beb5d55f71ed30b8a9401d565ebdb64a

SHA1
6304d9f9c20d8ecc0f201d2eeb55ced11c031ebf

SHA256
d2d598009c2d25d4197c68178530322d64efea6a5646aa04804f2e95bab9f78e

SHA512
1b80da1e594544963ad950c560828e668c89ed97240fa530ae055d4505aed514930fc11c4a9fb6975c984e2358bf7ffbd6dda6f6e0439e23edf6ab5fb723dc34

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
4KB

MD5
be64f4bcf17c2e524e34f2e200701f8c

SHA1
63b975ab9a87af06c4498c76647f2cb55d6de5c9

SHA256
57a16c434ece5a3baad88c8e5029147b974da3d8277a39beffd6e91e14240027

SHA512
b055953cdd69d143acd6b4d08d649649bea3473a6023a3cf2c00727a0aea91990b7d6dc600da8eb8ca7ea764d1a9a10e7e384a7891e3d74294987f6fff74a70b

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
4KB

MD5
66aaaf406f7c87f250cfe1583651454d

SHA1
cddc62fb17a852005a78182c15b414caf6e15a29

SHA256
fe54c044f28d85a1202a864c08db7cd32e70d554ed41b01ae0845cfd73e78847

SHA512
a9d6d2f0b8c9718038d4b8ad49f0b4a1e215caf45d730c9053dfa9170f38f65ac179cd4f30a1fab275b6c2565970f07edb81db220e43f3be2da85c8bde77a73b

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
4KB

MD5
1587e8e0c531952a69d2b0a5a3f1aaa5

SHA1
3d3c41c953d63ba651d6ef6af746439476da2dc3

SHA256
558befa2a21ccae5f164b45e0dcdb3f067e68392eacc86770f8c87bf0870a6d9

SHA512
11b4344b679dd829b5a145e1e40e25711a6ee01d98444ad7f9c256b5cbef4fcaeadd746c7ff8e5fcadc49870dd3056f98f748a4c4a57e8989f58540ad4b3a9c3

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
4KB

MD5
dad1bdb1fb7a6d9fa9650a7845516721

SHA1
e593b9d62030690ed16efe4052cb91977da0f1ab

SHA256
e06ccd22738114a2498f66e49e22d33f181710d5161ccbffecf5dcc251fc17a9

SHA512
2197df4e4da2d8afbb8dfb97ceb1c46dcb2cf73bd4cbb929c4d8900fb420151e9fe1a41b820b8dc3170ab220f0fcc59d7902c579244c137c796b8812cbbbd3db

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
4KB

MD5
8d8d3415a7b617f041c8c4e9ca6e9121

SHA1
a12e612a7fb2f064b2ea60daf6149df7434d9eb7

SHA256
202fa27cc2d5503bcf7c7913958038c43a3f0ac46ac366de289b2e749651882b

SHA512
ef8627468978b9bddeb82fc966b0890a464b88642372fe35ccd45d327f5e28094119b88138ccc715da4ec68e15113d7f43bc4c93f218084dadb7b61259192958

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
4KB

MD5
21440ca41574b515c795f2f4c397ce6c

SHA1
4119656970676d193987d2754ff02ad9974d5c9f

SHA256
2dec5802203838b1456ea6a0b038a6d7d2c973fc0462bca30576dbdf9ea666af

SHA512
311bc101478d8094e872cb9926c9098fc109e39f60c5468b61afec45ffb2a20185d4e604619c37019545aa42acf8437c253be269313c57de1c97892865f68a2c

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
5KB

MD5
3b321f249087180e3ad0c2773c8b00c6

SHA1
ce2756a4a694699f0a2a9436a7201347e1ea5fff

SHA256
01fde48c06544b261cbd551c3348bbfa233422acb88f717e291e0084ac2c0ab3

SHA512
77d63cf0dd616249384415e7b8325106680b3d8a546d8c98570b37779f9ed2a63c2dd09733675826215343292c7a3bec8eb2ce63c591afd5ff99ce81cbbab422

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Process.txt

Filesize
5KB

MD5
69ffdfbcc90d88177de1db9ed242b9c3

SHA1
92483153b8752436b273982e8e11be3423170a69

SHA256
d69b91b84862d88cab14b7be20fd7e363bbe52d06cb62ec9af0d2f58c8678572

SHA512
6eb2f7197677715eb2b29fa87998c417ab327f7421e4ee0d63df9522078e13a42ea376a780af07ef7661154ae8834b7b23aa045d86078b17691b3a3b4c1bd952

Download Submit
C:\Users\Admin\AppData\Roaming\OZMCVSQS\Screen.png

Filesize
428KB

MD5
c067168b4ae6ed4b206bb814ee329088

SHA1
592b613abc348e97a77a5c34d7e1b9feaba3f389

SHA256
60185ffb48edd151c3aa59f18e3150dff1b6151df10ccc65a6b28f9f7ea418c0

SHA512
e8b3fe164e3e153a3fa05af0453f77dff5e784c2214b4b0c7b9a8fe690b05ed1cc44a1b75c64111a684529b7fd34a2b565987c78bf7adf6eb8697cb1cb1b04fd

Download Submit
memory/1404-397-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1404-174-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1404-569-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1404-731-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1404-396-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3484-232-0x0000000006EB0000-0x0000000006F16000-memory.dmp

Filesize
408KB

Download
memory/3484-85-0x000000007294E000-0x000000007294F000-memory.dmp

Filesize
4KB

Download
memory/3484-84-0x0000000000DF0000-0x0000000000E46000-memory.dmp

Filesize
344KB

Download
memory/3484-617-0x000000007294E000-0x000000007294F000-memory.dmp

Filesize
4KB

Download
memory/3728-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/3728-1-0x0000000000690000-0x0000000000A18000-memory.dmp

Filesize
3.5MB

Download
memory/3728-2-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/3728-3-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/3728-4-0x0000000005520000-0x000000000565E000-memory.dmp

Filesize
1.2MB

Download
memory/3728-5-0x0000000005700000-0x000000000579C000-memory.dmp

Filesize
624KB

Download
memory/3728-6-0x0000000002EB0000-0x0000000002EBA000-memory.dmp

Filesize
40KB

Download
memory/3728-7-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3728-13-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/4040-12-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4040-11-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4040-9-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4040-8-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4040-170-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4040-14-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/4504-279-0x00007FFED2800000-0x00007FFED2810000-memory.dmp

Filesize
64KB

Download
memory/4504-264-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

Filesize
64KB

Download
memory/4504-267-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

Filesize
64KB

Download
memory/4504-263-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

Filesize
64KB

Download
memory/4504-265-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

Filesize
64KB

Download
memory/4504-266-0x00007FFED5050000-0x00007FFED5060000-memory.dmp

Filesize
64KB

Download
memory/4504-282-0x00007FFED2800000-0x00007FFED2810000-memory.dmp

Filesize
64KB

Download