stormkitty | cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6

Analysis

max time kernel
82s
max time network
30s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Size

1.6MB
MD5

3420f30a64bec629d676254a475823f0
SHA1

26722aa62e36e90daee1f1ef2f8b754584aba419
SHA256

cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6
SHA512

4b167f5e5bccbfdf7b708dbd3545c4d52d8b751a0658a0232be114a355ab52e33d426708d9098dd85c1393188ea3e241fd01b6cae71a32e65f8821bb26ce88ef
SSDEEP

49152:KAXCw7uq6e14Y18bVeKTAknS/G/ZT9JlPebr/Imnf4bacz:KAyJqL5ceKpuULlMr/Fn7O

Score

10^/10

stormkitty collection discovery persistence spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/108-16-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral1/memory/108-17-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral1/memory/108-15-0x0000000000400000-0x0000000000526000-memory.dmp	family_stormkitty
behavioral1/files/0x000a0000000122ea-23.dat	family_stormkitty
behavioral1/memory/2684-37-0x00000000011D0000-0x0000000001226000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Executes dropped EXE 2 IoCs

pid	Process
2684	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
988	Synaptics.exe

Loads dropped DLL 2 IoCs

pid	Process
108	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
108	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	C:\ProgramData\UPNECVIU\FileGrabber\Desktop\desktop.ini	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
File opened for modification	C:\ProgramData\UPNECVIU\FileGrabber\Desktop\desktop.ini	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
File created	C:\ProgramData\UPNECVIU\FileGrabber\Downloads\desktop.ini	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
7	freegeoip.app
18	api.ipify.org
19	api.ipify.org
20	ip-api.com
22	api.ipify.org
23	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1088 set thread context of 108	1088	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	31

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2684	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2684	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2684	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2684	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2684	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2684	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2684	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
2684	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 108	1088	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	31
PID 1088 wrote to memory of 108	1088	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	31
PID 1088 wrote to memory of 108	1088	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	31
PID 1088 wrote to memory of 108	1088	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	31
PID 1088 wrote to memory of 108	1088	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	31
PID 1088 wrote to memory of 108	1088	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	31
PID 1088 wrote to memory of 108	1088	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	31
PID 1088 wrote to memory of 108	1088	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	31
PID 1088 wrote to memory of 108	1088	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	31
PID 1088 wrote to memory of 108	1088	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	31
PID 1088 wrote to memory of 108	1088	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	31
PID 1088 wrote to memory of 108	1088	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	31
PID 108 wrote to memory of 2684	108	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	32
PID 108 wrote to memory of 2684	108	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	32
PID 108 wrote to memory of 2684	108	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	32
PID 108 wrote to memory of 2684	108	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	32
PID 108 wrote to memory of 988	108	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	33
PID 108 wrote to memory of 988	108	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	33
PID 108 wrote to memory of 988	108	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	33
PID 108 wrote to memory of 988	108	cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe	33
PID 988 wrote to memory of 900	988	Synaptics.exe	34
PID 988 wrote to memory of 900	988	Synaptics.exe	34
PID 988 wrote to memory of 900	988	Synaptics.exe	34
PID 988 wrote to memory of 900	988	Synaptics.exe	34
PID 988 wrote to memory of 328	988	Synaptics.exe	35
PID 988 wrote to memory of 328	988	Synaptics.exe	35
PID 988 wrote to memory of 328	988	Synaptics.exe	35
PID 988 wrote to memory of 328	988	Synaptics.exe	35
PID 988 wrote to memory of 1720	988	Synaptics.exe	36
PID 988 wrote to memory of 1720	988	Synaptics.exe	36
PID 988 wrote to memory of 1720	988	Synaptics.exe	36
PID 988 wrote to memory of 1720	988	Synaptics.exe	36
PID 988 wrote to memory of 1700	988	Synaptics.exe	37
PID 988 wrote to memory of 1700	988	Synaptics.exe	37
PID 988 wrote to memory of 1700	988	Synaptics.exe	37
PID 988 wrote to memory of 1700	988	Synaptics.exe	37
PID 988 wrote to memory of 2752	988	Synaptics.exe	38
PID 988 wrote to memory of 2752	988	Synaptics.exe	38
PID 988 wrote to memory of 2752	988	Synaptics.exe	38
PID 988 wrote to memory of 2752	988	Synaptics.exe	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe

C:\Users\Admin\AppData\Local\Temp\cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
"C:\Users\Admin\AppData\Local\Temp\cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
  "C:\Users\Admin\AppData\Local\Temp\cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Users\Admin\AppData\Local\Temp\._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2684
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      PID:900
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      PID:328
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      PID:1720
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      PID:1700
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.6MB

MD5
3420f30a64bec629d676254a475823f0

SHA1
26722aa62e36e90daee1f1ef2f8b754584aba419

SHA256
cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6

SHA512
4b167f5e5bccbfdf7b708dbd3545c4d52d8b751a0658a0232be114a355ab52e33d426708d9098dd85c1393188ea3e241fd01b6cae71a32e65f8821bb26ce88ef

Download Submit
C:\ProgramData\UPNECVIU\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Desktop\RedoSet.txt

Filesize
712KB

MD5
317eb18458d850495d0c70e2c308ea7c

SHA1
627de99ad7ceabcf9c54bb1a733c9cd604195d39

SHA256
52c45b96a2b0281b6da1d9f62c296098941c6dc1271972bb4667da18bd4cc737

SHA512
e000c9540cad58bfbed0b349159e429a9e9bf8b7d5cc9ba592d4cabfade4f78fbadaa0084b7c57374184a0f0ef1f3eeae41465a500c1e8016833407adfcffe36

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Desktop\SendApprove.ppt

Filesize
361KB

MD5
2fe4676917a626416a5d662e780c0f95

SHA1
0c4f30067d111454c21413ba8c64e6946840b896

SHA256
4696df4f7ec5ba35eee5aa0b790a0422f5038d4debad15302284568249238332

SHA512
0e57b7af31614638bb7b1387bb1f7b821e196f3cae6bd4ba8e27a6ccd42f12bf0a55ffb9f50db66ce6509d5420b19b65caa3e5079cb7a385d93835437841502f

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Desktop\UnpublishMount.png

Filesize
515KB

MD5
c1493dd1556816ab45f20a0717cf0120

SHA1
c45f80cb2a653e1b0db28fa8b5661fbf87edfc44

SHA256
ae1957ff820b5cc643279df3f7858a3ddb8d757328527b76b80301f9a7c1e715

SHA512
41856e34e2cd727d40db9068b1c00adb263fe95fb3b4450c4373e174e552c676317841eee75b6932b2385cfd7ea6609caba0d92f7a539eb60839a9d813505b1f

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Documents\BackupOpen.doc

Filesize
768KB

MD5
76f0dc6e09bfb633b83703027c7e3b11

SHA1
d721be2101467013911c228285492b44476165d0

SHA256
8a0b49165f1654d2635f246541e9ae641009c59269ad420e62b9f16ad7ef8d62

SHA512
ebe6b153cd099fb1b46fae4a45583bcf852916f23b6927b89f549a304197fa3ab3b7cdad3b44e552134ca496793e3ed27a2066345587fdbf82261e1e7b0f0904

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Documents\CompressRestart.pdf

Filesize
1.1MB

MD5
40a26c6f3d43d9efd327a28f890198fc

SHA1
280a8c255b4cf083786984d4b954b38314a1136b

SHA256
34239d47cc8ec661f74feb39b88af1aed28177e1e0e073c10716699f90dded60

SHA512
54dc81d9d0eecef5a497fee69e5e518a4edbea19f64a878a9927104f085718782568a8050729f59700b09c6c7e82b19be348b93ac6074459aaa6a2cb3c131384

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Downloads\DenyGet.jpeg

Filesize
850KB

MD5
1a4d554a38819ab8c7181f939d568074

SHA1
470da213a39a8be312c53578bc44ff0dce5c28b6

SHA256
f01988264b63928a3a1a2fc1de38c46c74bb3969c990c8f7ac0b6fe18b73d21f

SHA512
fc8d06c3548c7c2da145a4ec96f488a7b69d255818887cc9878610c9614fd78f7b7e8b1595ad656f68df662fd7291674f92969e7ab63f23e09e6903efb105bb3

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Downloads\OpenFormat.css

Filesize
545KB

MD5
f5db8d393574328ad0ac48ddee9dea4b

SHA1
35ddf64ff55068809ed832d62c282a9b26b96847

SHA256
7602d500550764915e6661f7a4a3fe6101ee1c1a66ee747bcdcef7ae6f18da16

SHA512
d214641af1bee6878f91775c819061dee4287a2ace3bedf31a875015cf7a5b39b56b70b3c5b908568f05668fe6af3654093fbada8c44f3b7a476fa15bb1438bd

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Pictures\BlockReset.bmp

Filesize
335KB

MD5
e4a51668da3cad10dd2af2f1ba93fe26

SHA1
3022aebdd68c73055cd97fb4ba138856fc500067

SHA256
6b4f13ac8edebecfae8dd9645a1a28c88028f0de155031abfc4508366ba02cf8

SHA512
3a25a9492f457c17187451adecb8079413e268f97a7d81ca1b001b39bf18d9a7841b5f1602a2e66631499afc4e22f36f5d8e62dd6569778c9dbe3e5bd7820c88

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Pictures\ConnectRevoke.bmp

Filesize
497KB

MD5
dcf9a422b5b08335e7de337e7b032e14

SHA1
ed387f37b5dfbeef5309534338c23f7160033f45

SHA256
51290bcf247a3f287772a6e383a1d1d3a1b96b65ab24c424292287aad1a8b8e6

SHA512
bb59d99ff9ae1661eb24978731cdab6eaed59b5ae1d68619b577aa1d14a3dae042b339a832b094b09ca79aeeeb75f7043ea4ab3f3f02f33f4c580ebf0bff70dc

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Pictures\CopyCompare.bmp

Filesize
682KB

MD5
5b441478d2a7819150a20d9beb624483

SHA1
6dbb3355c48fe7be6a8aad54497ae0f07d4df613

SHA256
5dfa0c95979a21ade52d38c8955e7516f8311f50672e2e22ebd3fa43e6da6c2d

SHA512
2ea32c2f3087db273c47bed9048965afd20a43d7badff7588e0a0794dc3f0fa9956ed13588e1a1a3a3922cb1dd1d3ed44f3af67bc5b7e69b888fb85ed74667d1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_cb41a8b4efce6ec7fe93a6878964c4492a814b03e9edb0e434d8f510dac4b2d6N.exe

Filesize
321KB

MD5
88e556c4f90811d242975a78d9f230fa

SHA1
fff10abdf2f71f6197d2eeda52822fa549084426

SHA256
d59a62bcbadaea2c0a911e24bb842e592fe5273b15721997034e2e62a0444bc5

SHA512
81b2d9ecd35349dd792094bc46f0b235384ce9bb17ea25478d61d00f552813910149daa774d0a8b4df05fdc43fa27597845387db00460a0f71fba7e37f3407ca

Download Submit
memory/108-17-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/108-11-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/108-15-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/108-12-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/108-5-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/108-7-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/108-10-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/108-8-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/108-16-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/108-6-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/108-18-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/108-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/988-44-0x0000000000330000-0x00000000004D4000-memory.dmp

Filesize
1.6MB

Download
memory/1088-0-0x000000007424E000-0x000000007424F000-memory.dmp

Filesize
4KB

Download
memory/1088-21-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/1088-4-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/1088-3-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/1088-2-0x0000000004B90000-0x0000000004CCE000-memory.dmp

Filesize
1.2MB

Download
memory/1088-1-0x00000000013B0000-0x0000000001554000-memory.dmp

Filesize
1.6MB

Download
memory/2684-37-0x00000000011D0000-0x0000000001226000-memory.dmp

Filesize
344KB

Download