stormkitty | 71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c

Analysis

max time kernel
141s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe
Size

1.1MB
MD5

e10d4a9fb3f6cb40b721a883f5b21333
SHA1

2593e6d56fe6c76216c026eaf44aa1fdb61137ff
SHA256

71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c
SHA512

321137c35b903991c1653af0bf704dbe9c7ded42b941260a7a3222b0407d5dd91c593fca18ab599347fbcd985a29aafef45d97990c170c1f1dca4f04d59c22d0
SSDEEP

24576:5nsJ39LyjbJkQFMhmC+6GD9c0P8j/svqA:5nsHyjtk2MYC5GDzP8j/Mq

Score

10^/10

stormkitty xred backdoor collection discovery persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001225d-8.dat	family_stormkitty
behavioral1/files/0x0008000000015694-16.dat	family_stormkitty
behavioral1/memory/1192-39-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty
behavioral1/memory/2820-36-0x0000000001280000-0x00000000012D6000-memory.dmp	family_stormkitty
behavioral1/memory/2996-50-0x0000000000060000-0x00000000000B6000-memory.dmp	family_stormkitty
behavioral1/memory/2348-412-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty
behavioral1/memory/2348-430-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty
behavioral1/memory/2348-511-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 4 IoCs

pid	Process
1192	LocalwCsRGYdPHX.exe
2820	._cache_LocalwCsRGYdPHX.exe
2348	Synaptics.exe
2996	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
1192	LocalwCsRGYdPHX.exe
1192	LocalwCsRGYdPHX.exe
1192	LocalwCsRGYdPHX.exe
1192	LocalwCsRGYdPHX.exe
2348	Synaptics.exe
2348	Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	LocalwCsRGYdPHX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Desktop\desktop.ini	._cache_LocalwCsRGYdPHX.exe
File created	C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Documents\desktop.ini	._cache_LocalwCsRGYdPHX.exe
File created	C:\ProgramData\UPNECVIU\FileGrabber\Documents\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Downloads\desktop.ini	._cache_LocalwCsRGYdPHX.exe
File created	C:\ProgramData\UPNECVIU\FileGrabber\Downloads\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Pictures\desktop.ini	._cache_LocalwCsRGYdPHX.exe
File created	C:\ProgramData\UPNECVIU\FileGrabber\Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\ProgramData\UPNECVIU\FileGrabber\Desktop\desktop.ini	._cache_Synaptics.exe

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	api.ipify.org
5	freegeoip.app
11	freegeoip.app
32	api.ipify.org
34	api.ipify.org
41	api.ipify.org
8	freegeoip.app
15	freegeoip.app
37	ip-api.com
33	api.ipify.org
36	ip-api.com
46	api.ipify.org
35	api.ipify.org
40	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_LocalwCsRGYdPHX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2560	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2820	._cache_LocalwCsRGYdPHX.exe
2996	._cache_Synaptics.exe
2820	._cache_LocalwCsRGYdPHX.exe
2996	._cache_Synaptics.exe
2820	._cache_LocalwCsRGYdPHX.exe
2996	._cache_Synaptics.exe
2996	._cache_Synaptics.exe
2820	._cache_LocalwCsRGYdPHX.exe
2996	._cache_Synaptics.exe
2996	._cache_Synaptics.exe
2820	._cache_LocalwCsRGYdPHX.exe
2820	._cache_LocalwCsRGYdPHX.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2708	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	._cache_LocalwCsRGYdPHX.exe
Token: SeDebugPrivilege	2996	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2708	AcroRd32.exe
2708	AcroRd32.exe
2560	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 1192	3036	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	30
PID 3036 wrote to memory of 1192	3036	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	30
PID 3036 wrote to memory of 1192	3036	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	30
PID 3036 wrote to memory of 1192	3036	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	30
PID 3036 wrote to memory of 2708	3036	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	31
PID 3036 wrote to memory of 2708	3036	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	31
PID 3036 wrote to memory of 2708	3036	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	31
PID 3036 wrote to memory of 2708	3036	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	31
PID 1192 wrote to memory of 2820	1192	LocalwCsRGYdPHX.exe	32
PID 1192 wrote to memory of 2820	1192	LocalwCsRGYdPHX.exe	32
PID 1192 wrote to memory of 2820	1192	LocalwCsRGYdPHX.exe	32
PID 1192 wrote to memory of 2820	1192	LocalwCsRGYdPHX.exe	32
PID 1192 wrote to memory of 2348	1192	LocalwCsRGYdPHX.exe	33
PID 1192 wrote to memory of 2348	1192	LocalwCsRGYdPHX.exe	33
PID 1192 wrote to memory of 2348	1192	LocalwCsRGYdPHX.exe	33
PID 1192 wrote to memory of 2348	1192	LocalwCsRGYdPHX.exe	33
PID 2348 wrote to memory of 2996	2348	Synaptics.exe	34
PID 2348 wrote to memory of 2996	2348	Synaptics.exe	34
PID 2348 wrote to memory of 2996	2348	Synaptics.exe	34
PID 2348 wrote to memory of 2996	2348	Synaptics.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe
"C:\Users\Admin\AppData\Local\Temp\71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\LocalwCsRGYdPHX.exe
  "C:\Users\Admin\AppData\LocalwCsRGYdPHX.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Users\Admin\AppData\Local\Temp\._cache_LocalwCsRGYdPHX.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_LocalwCsRGYdPHX.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2996
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\LocalfoWhpQgnAt.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2708

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UPNECVIU\FileGrabber\Desktop\EnterGet.doc

Filesize
359KB

MD5
a0b84cec594b4ab13ed1a2a603bd188e

SHA1
d5c63ff2f5541057aecb02bf4984427a307adc43

SHA256
43f50a044706449cd88b78a0ae726f9d5b1c5110ce6c2ca68a1b093a9c1a670e

SHA512
5bdaa88ef92b5ae4cf8f8a14082b62d743a1903693727482d7c62445e0315175d74118311dff323c458062f6ed8b2687b4df03c3de7f0677f2fc9070e33f01e0

Download Submit
C:\ProgramData\UPNECVIU\FileGrabber\Documents\MountRevoke.ppt

Filesize
1.8MB

MD5
7f978def79f90147d2984e9b23221bd7

SHA1
4d5c52108498e94d2dc279401edddf83fd53e99e

SHA256
bb1bb45f6a67a5ac3060e101e240b8939a8a9290348e3fc1d81160b9c7ce8541

SHA512
58c15cfb8525b35fcc97cf7400bfce0451b0ad104bf30fbcbd6c43b7e0e6b083d37c91ce94650f6e0eaa30df2884a112d86f90a5515658e851f9430f54228451

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANtJfOJY.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANtJfOJY.xlsm

Filesize
24KB

MD5
9ae5193e7333e6b1fab2c40f4d60c46d

SHA1
97f33d428b58fac4138273f40de8fee3d3d091af

SHA256
a78c12cd3e4e1620cb44870f2072aba55d50c057bd8e7e5422f33a55dd01c987

SHA512
8c039ee637da18ed2a748eef62590154db4b99a79ee0de6dd55f5019c67be30fff4b8b4d3959d125d92fa34a7ec2623aeca1d18a4d20606d55e9465ec9593b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91A9.tmp.dat

Filesize
5.0MB

MD5
a39637da87237fe48ed47ea7000d1145

SHA1
185762bbfd16fdf5be2f21507cfb8a12a076a291

SHA256
7ed5cb29cc91ea5306e82edeace6da7ffac31c0ad9436a901ae50dc09bb6c75e

SHA512
f3befe15206593a45af4be86800b2fd3b64e6680fdd7ea6fe13fb90f3a1ceea2c2c355ce1298bf11354f58a27f11acf4d4d35386e318d3dce3eaa067d5c42e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91F8.tmp.dat

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9237.tmp.dat

Filesize
92KB

MD5
ae2cd96016ba8a9d0c675d9d9badbee7

SHA1
fd9df8750aacb0e75b2463c285c09f3bbd518a69

SHA256
dd0ea2f02d850df691183602f62284445e4871e26a61d9ea72ff1c23c0b0ba04

SHA512
7e0e86980b7f928ea847a097545fa07b0c554617768760d4db9afe448568b97d1536a824b7a1b6c1f3fb1bf14153be07ef32676f878fb63a167d47e3136b5d1d

Download Submit
C:\Users\Admin\AppData\LocalwCsRGYdPHX.exe

Filesize
1.0MB

MD5
c78e19b1b79ef2cbed3428f6d055a217

SHA1
34e1cca94e8a5dfee7825951e8d7d103fe24a94a

SHA256
f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31

SHA512
e0828b3c2e2e060ef79855de7bb3bf297ba1590b6f08784ad85cd19c090e84d5a50893a1d89a70aea13d48f7896b62d048447e7eb40a23ae8309f5207642470a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9a53fac47fbba8d216d03cb22e9ca8b6

SHA1
b65419a069fb0ce62f0c2db40ff7504ef9fa2465

SHA256
91d7f7130c3759046a0403c5f77bccf72c828854b53e25f4b92be7bebcf6c098

SHA512
379c17aa7f777a32fd3762de9d51e7f2fd3eed6ec26f5c7bcc96db954fb0e74bd7f8b317926e2824a6bc01f130325b2f223f15f4ecca0c85cf1cc51ef4e3e4d5

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\Browsers\Outlook\Outlook.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Desktop\CloseImport.html

Filesize
228KB

MD5
1da8fd1970a183bd147360ecfa2d3ae4

SHA1
d2d514f43c3eab897487c61424dc2c2b58cb38f4

SHA256
3e260b7f5908a1c1918da46bf4b37774c0ea932b82070512ce07ef2f406fceed

SHA512
32f189be59ca2251d8eaa4c845cac94f3f4fb00ec4fa543a9b1d3ff6935464c42bf4c12a79d4f80d6c51c75c40bb28652b0fd4e705dcf89aafe92357495937d3

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Desktop\ExitSync.jpg

Filesize
124KB

MD5
e68074e428508479fa40022f7d39233a

SHA1
f6c05c60f540a854cda06297d40ec6a184fd85c2

SHA256
a377cbfc0080f55d4ad7c4899ef326b17771e0116c64afbc11ea59b6d8216bda

SHA512
0ebcc89bf0681669423e1fd9057723da3d43048f841e9456b4c6b623d292eccbc73053140f0d9fa34d18f3112d4ca62604da229bc6822a0b0bb1528f2093e97d

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Desktop\InitializeConvertTo.sql

Filesize
208KB

MD5
9429d8cd664e6e4c3d8cbb0625b48bfa

SHA1
3ae4f1172bf1648918dca1eb57557e438b9a47c1

SHA256
eb0e55d56539dbaec5ff6d6ebd993803be6bf67190003dfe81864c3d4a3f5bad

SHA512
17251a613e26609aa82e3dcceca661851fc29dedae3ed9528b843b1de319cfd9c61b00874a442b140a895f111ee7d64381e44ccc52464857a6067b6f6949827d

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Desktop\OutCopy.docx

Filesize
15KB

MD5
aba21c1f9f3285b1aa49a26f8a5be5ca

SHA1
543ce3efb5d9f4690cf6308bc9db3d924b869ecc

SHA256
8c8901b2635b2b36b02e396aa65bd51e135840f551171efbc585754b5f4cbde8

SHA512
0430f5c58d2b63d57e9654b2ec412039840dcb85d826267cc0e47fe453a076df2ff02e56cef9224a277ecd8a57ab48cc5beddfc64ebae36f0ff99a5f8261c2f3

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Desktop\ShowDisable.docx

Filesize
21KB

MD5
c31af1cf19564d5644a2b59a51561c2f

SHA1
5a44855c19f4f516f568a08c35047a4de6203208

SHA256
64a79f3518aea0c2e55ffa4f24246c6c2de9b2d60a4a3f528dc0a812f45eabc5

SHA512
f87138d5137adb5c34c72e2f43a5e7a3f93a2c315cdb6fa488aaaac81f254a87e4e344c98d99a33321f6b23499d04e4b1002b06355352e82a7ab67c0168eb308

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Desktop\UseExpand.html

Filesize
248KB

MD5
73315de72cdde50cd77fbed67e4972bf

SHA1
a303a7fb927aa7ba578ca7317878da35a0a4b45b

SHA256
90546e2b2c99e6aa55f75df0cd817069aef19ad71c00cf289f493929575abee8

SHA512
5f3db92fe782620c243cd4cf8f8d73485dc75c902007b637b3915c7c5acf43033ce8dbb536e9f9ad4c5e7a61ec0d7e2f0b4da6f3a526ddf0cb9103f9e567beaa

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Documents\ApprovePush.docx

Filesize
15KB

MD5
efee8ee39f9a53e9ffc4b91732370c3e

SHA1
fe65dbb74d230511460658bc6e959be38abd303e

SHA256
214a5c5fd1ab849e4812b38ee934a6dbaf957d1d2f86be5ded179ad6070c2255

SHA512
b6ef821fe90e3821f44896c35a9b5d6d65037abd38fb14ee63d87edf5411fbeb0c46023ccb1db08b7574bb36e1ae4b75b81322d241ca17aaafa526e692914447

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Downloads\BlockSuspend.bmp

Filesize
620KB

MD5
f4e12b6835d941da004d3ab093c82f05

SHA1
c695f6e8b43f8646e053f92a6fab01d629bda37d

SHA256
da038e77c2ede08bf7e64b3ab580cd8da9bf080453c05b22edef59b78ab85000

SHA512
9b5e4e3a37874f2f4def1e277b0ff9d434aa1a96aabcf5714a86e759039e045658a676722cb0e6b93b7f3943a4415d5f36b7d4ba3a1ed4ab4eed67ae039e7408

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Downloads\EnterImport.jpeg

Filesize
1.1MB

MD5
9c606d552e2576407343de646af18b94

SHA1
631035fa19ccc0feff1f8cbb0d04d261bcae4f1a

SHA256
9da20c23181eb75b4834fd1963606260fea2fb63b5da5bd181ba4cee97240a19

SHA512
a819950cdafd51aa62f7e37203d87a22dfab50652c7caa95366c78e83622d36a695864ec0d96774b6dbc304cb3290418dde2a40d0c7b949c323122fd8551c284

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Pictures\BackupSearch.png

Filesize
823KB

MD5
5bbe31dcd270904946fd16d7e106ce52

SHA1
2f2533aa872ec77a9437869a13f97d13245ff1e8

SHA256
949c229fc4959c0dea142cf3ea80cf68b3bec6b773a44911547da649d8f12cae

SHA512
f2face9c715d96fe24f236e0924d53c13e9876d84c696328dd3b0248f127defa5504e6ee852559ca0ba8344ca5125c41539069806e3728f571ad9c6ce9966b56

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Pictures\InitializeWait.png

Filesize
537KB

MD5
66caf0b11bf380690008f1a6962f0760

SHA1
9323a49e6d6ce94c92123dabbedf05bf63fb2e17

SHA256
c49ed5b4264bcaffc6eddc65e2aebb856e715cce68ce1d812ec08330acfb8f3f

SHA512
947e5a5baaf5b1277ea9d8a205877f6c3cce9419cafbb794390df1ac5aebc759db18c8da71efc9f79eb133931ec446ef6e03ecd5276e831fddb71ec628b9ad34

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\FileGrabber\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\InstalledSoftware.txt

Filesize
1KB

MD5
196da0a1f32dbc89b3b8ba0f391f8c48

SHA1
f0ff637fb76443adad85bfa1b929dd4280d0170c

SHA256
6d9ebf86f570df9b344ad896c4ebec1ee61ae4074c6dc9bfb3fffb7c1b59c9ef

SHA512
b3f34fdca34021a40e2cf42fa806aec7d92c9b870a782a6268d7ae0115ba33d7bf444c8cfcd0f6537da2a448ea51c37b4d1fe5f020cc2e86b4e0850bde850706

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\Process.txt

Filesize
1KB

MD5
e9bb97da7fd058a1dd63f9bcc27aa3e4

SHA1
75db75e2aa9835d7de5d88aed56580280c9c4e65

SHA256
47c896487e5db7f79b2d0ae3afba0be954848d03e3562b21680e81ac86f80a7e

SHA512
3cbb7cc96eacfe6f67501624e5e9061ccc245b2637bc65ee9fbd33a4f8166e275581ddcdacc8520b7cc88106925165ad767bcefec8ab641c1bf9fbe1428e266d

Download Submit
C:\Users\Admin\AppData\Roaming\UPNECVIU\Screen.png

Filesize
51KB

MD5
2abb31d090e4961a09c4e1701ed63d5e

SHA1
b0630fa0bb2ffb7b25b0b5936452ddcfe8f53a21

SHA256
b521fdbd5a0e93395b43bc06e91693dd9ff61215b6b7c510741635f4b6e4e9aa

SHA512
41f5ff7a9ea5c1514ffd5ef23a9ed39778d7d45c487786b2e5950f0759499156d5d67097ec9d124864f17e01bfeead4cf4a7e7cd2e681d74b86c10fd65b64e66

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_LocalwCsRGYdPHX.exe

Filesize
320KB

MD5
f71e90cbe5a122796864f70feba51a50

SHA1
b63521622fbd176baddf513e2eb191f655880bca

SHA256
8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a

SHA512
001e5b02b5f28b2e9d8cff0baedbd5c21aa6da19f41629037438d39dcfdb6b1322c50571cb7a8fade72ed284d411919a6db319120c1d127df8488de95f7fd12f

Download Submit
memory/1192-39-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1192-9-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2348-412-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2348-511-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2348-430-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2560-206-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2820-36-0x0000000001280000-0x00000000012D6000-memory.dmp

Filesize
344KB

Download
memory/2996-50-0x0000000000060000-0x00000000000B6000-memory.dmp

Filesize
344KB

Download
memory/3036-3-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-0-0x000007FEF5EBE000-0x000007FEF5EBF000-memory.dmp

Filesize
4KB

Download
memory/3036-12-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download