stormkitty | 71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe
Size

1.1MB
MD5

e10d4a9fb3f6cb40b721a883f5b21333
SHA1

2593e6d56fe6c76216c026eaf44aa1fdb61137ff
SHA256

71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c
SHA512

321137c35b903991c1653af0bf704dbe9c7ded42b941260a7a3222b0407d5dd91c593fca18ab599347fbcd985a29aafef45d97990c170c1f1dca4f04d59c22d0
SSDEEP

24576:5nsJ39LyjbJkQFMhmC+6GD9c0P8j/svqA:5nsHyjtk2MYC5GDzP8j/Mq

Score

10^/10

stormkitty xred backdoor collection discovery persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 8 IoCs

resource	yara_rule
behavioral1/files/0x00070000000120fc-7.dat	family_stormkitty
behavioral1/files/0x00070000000193b8-17.dat	family_stormkitty
behavioral1/memory/2876-41-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty
behavioral1/memory/2804-47-0x0000000000B60000-0x0000000000BB6000-memory.dmp	family_stormkitty
behavioral1/memory/2076-51-0x0000000001230000-0x0000000001286000-memory.dmp	family_stormkitty
behavioral1/memory/2436-187-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty
behavioral1/memory/2436-269-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty
behavioral1/memory/2436-317-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 4 IoCs

pid	Process
2876	LocalwCsRGYdPHX.exe
2804	._cache_LocalwCsRGYdPHX.exe
2436	Synaptics.exe
2076	._cache_Synaptics.exe

Loads dropped DLL 11 IoCs

pid	Process
2876	LocalwCsRGYdPHX.exe
2876	LocalwCsRGYdPHX.exe
2876	LocalwCsRGYdPHX.exe
2876	LocalwCsRGYdPHX.exe
2436	Synaptics.exe
2436	Synaptics.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_LocalwCsRGYdPHX.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	LocalwCsRGYdPHX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File created	C:\ProgramData\BCXRJFKE\FileGrabber\Downloads\desktop.ini	._cache_Synaptics.exe
File created	C:\ProgramData\BCXRJFKE\FileGrabber\Desktop\desktop.ini	._cache_LocalwCsRGYdPHX.exe
File created	C:\ProgramData\BCXRJFKE\FileGrabber\Desktop\desktop.ini	._cache_Synaptics.exe
File created	C:\ProgramData\BCXRJFKE\FileGrabber\Documents\desktop.ini	._cache_LocalwCsRGYdPHX.exe
File created	C:\ProgramData\BCXRJFKE\FileGrabber\Documents\desktop.ini	._cache_Synaptics.exe

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	freegeoip.app
9	freegeoip.app
14	freegeoip.app
15	freegeoip.app
37	api.ipify.org
38	api.ipify.org
39	ip-api.com
41	api.ipify.org
42	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2724	2804	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1976	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2804	._cache_LocalwCsRGYdPHX.exe
2076	._cache_Synaptics.exe
2804	._cache_LocalwCsRGYdPHX.exe
2076	._cache_Synaptics.exe
2076	._cache_Synaptics.exe
2804	._cache_LocalwCsRGYdPHX.exe
2076	._cache_Synaptics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
640	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	._cache_Synaptics.exe
Token: SeDebugPrivilege	2804	._cache_LocalwCsRGYdPHX.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
640	AcroRd32.exe
640	AcroRd32.exe
1976	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2876	2248	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	30
PID 2248 wrote to memory of 2876	2248	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	30
PID 2248 wrote to memory of 2876	2248	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	30
PID 2248 wrote to memory of 2876	2248	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	30
PID 2248 wrote to memory of 640	2248	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	31
PID 2248 wrote to memory of 640	2248	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	31
PID 2248 wrote to memory of 640	2248	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	31
PID 2248 wrote to memory of 640	2248	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	31
PID 2876 wrote to memory of 2804	2876	LocalwCsRGYdPHX.exe	32
PID 2876 wrote to memory of 2804	2876	LocalwCsRGYdPHX.exe	32
PID 2876 wrote to memory of 2804	2876	LocalwCsRGYdPHX.exe	32
PID 2876 wrote to memory of 2804	2876	LocalwCsRGYdPHX.exe	32
PID 2876 wrote to memory of 2436	2876	LocalwCsRGYdPHX.exe	33
PID 2876 wrote to memory of 2436	2876	LocalwCsRGYdPHX.exe	33
PID 2876 wrote to memory of 2436	2876	LocalwCsRGYdPHX.exe	33
PID 2876 wrote to memory of 2436	2876	LocalwCsRGYdPHX.exe	33
PID 2436 wrote to memory of 2076	2436	Synaptics.exe	34
PID 2436 wrote to memory of 2076	2436	Synaptics.exe	34
PID 2436 wrote to memory of 2076	2436	Synaptics.exe	34
PID 2436 wrote to memory of 2076	2436	Synaptics.exe	34
PID 2804 wrote to memory of 2724	2804	._cache_LocalwCsRGYdPHX.exe	36
PID 2804 wrote to memory of 2724	2804	._cache_LocalwCsRGYdPHX.exe	36
PID 2804 wrote to memory of 2724	2804	._cache_LocalwCsRGYdPHX.exe	36
PID 2804 wrote to memory of 2724	2804	._cache_LocalwCsRGYdPHX.exe	36

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_LocalwCsRGYdPHX.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_LocalwCsRGYdPHX.exe

C:\Users\Admin\AppData\Local\Temp\71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe
"C:\Users\Admin\AppData\Local\Temp\71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\LocalwCsRGYdPHX.exe
  "C:\Users\Admin\AppData\LocalwCsRGYdPHX.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\._cache_LocalwCsRGYdPHX.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_LocalwCsRGYdPHX.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:2804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1064
      4⤵
      Loads dropped DLL
      Program crash
      PID:2724
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2076
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\LocalfoWhpQgnAt.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:640

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BCXRJFKE\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\BCXRJFKE\Browsers\Outlook\Outlook.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Desktop\BlockWait.xlsx

Filesize
12KB

MD5
4c21d63628f1ae13065239825e746c0d

SHA1
d64aeeb7984f96b76909994149526a31b59e6e0c

SHA256
4bc4ac32a048512290925afb6f0bb19b0a328d9137ccb8effa20e3c3ec83f580

SHA512
ae32473d72dcdb9a8cffb804d18881c675fc4a8beeddbfd8d396d25a32ba92f417c34dcada611ae2b7454548abd0cb0b76e211da479fc04abbdf06a994802009

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Desktop\CheckpointSearch.xlsx

Filesize
13KB

MD5
3d23bc42da89281208e7901f24e5b26a

SHA1
b39889f1f59cc72369a1056a48e4a9d07c916180

SHA256
aa4edf5a72ff47c2c28a94970a410c3d5c29cc0985359c9ddca07774f566a6fd

SHA512
e50da571124a8231b198294065d2f5037f71e2f67f0d6118b9629712780a4b50f6dbe948c92330c5c4de86d9b1d2c0209f1866f569a8c6a7d7522a3e1a51d5d1

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Desktop\CloseAssert.png

Filesize
839KB

MD5
0b77cc4d69eaf35f071ab776252de52c

SHA1
781fc81180f4df87fd8d36404b105de54beabe82

SHA256
a9ff6fac195b03d1cb9f41006f12bf4ba89d3f60e2beea6da669a4e5e00dd193

SHA512
243f08ab13b65249feb20fac376f28105992b3fe7344ba06e231ca40be9bfeb96b7b1258ad862b07185a5f41ce8b106d8203bbf74b7a760919a80df3d0ec21c9

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Desktop\MeasureResolve.xls

Filesize
378KB

MD5
e02fc2eac94f17256df96ad9b55c9990

SHA1
257adf0e4041c43c2504e5591bf1b8d0a5502858

SHA256
73aa103542a0ca1a83c5033cb2e8a59ff41c3edfdb2af4bcdc11e1a5b67c8eb3

SHA512
844fb62c43f88db3773573b5179a66be3542d11c8053f6d05bba8b51045608eb8a15fa1a401c480d428156f239e18e4ca0fd1464633bcf58ebf0e0ed4a1d795c

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Desktop\SyncDebug.docx

Filesize
970KB

MD5
b341b7333c0590046c5cd5042df9d3b2

SHA1
21f690f5d6327ba3e0544822b50f70b70696fc63

SHA256
590b17a6443cef07168e240e583c4b0afc53f26dd2654f07663f6d18149e8624

SHA512
2eb334422398ae741b04694e367814cb03db78b8737ac5ceb4cd50fae14cfad4e66a90d0d5cdae0574c6c001e22d7731893dbfa808a5479ef9dd5a786db6f906

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Desktop\TracePush.xlsx

Filesize
13KB

MD5
e1c685cc51f55094bf06c6727b2c945a

SHA1
d7937ffaf0a45d778ad180e4efa8b70939fb8611

SHA256
a2b4ae75e38a1eec7d95bdb80b04b20203992ed47a2683925d77a90d614758d9

SHA512
49386aca07ce2a6769891b770fc2fe512df3a28a5ad7685cbd8046ecfda3dcacebd93ab52185cbe2202381283470fe9487b96581b5d8be81af9abdbbbfd2bae5

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Documents\ConvertFromAdd.xlsx

Filesize
350KB

MD5
a2b7d018405ec0ad238e13a4841c9f9a

SHA1
c32c045b68ee4209efd26511769a8f6e8ac37fcf

SHA256
c941aea1606c66b748238323a107c89f35deea4467d0c16a7fa4274270182552

SHA512
a4a9f03b9c6ab65b355cd29b2a17157c9a4b4fb66b9b356dc64c727804385dedccfebe0d31d67edf6645eab6aaf7a55867b0dc546be1e846958ff51e2d4e9d20

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Documents\EnableMerge.xlsx

Filesize
9KB

MD5
33f74bddca3df8b6af4b589e613a3055

SHA1
822a575e22010cce91e392354c1b33050b9af5e6

SHA256
0eb15775eeeb9cd4e2c7c362385394921b4c923ef7a7a4b1ad0c6ccf16fc603c

SHA512
8579a080b5c5f3442e72f6be1db525630ef038731afac4c8dc465ffe735827b97211b17588cb2209bad92b9d3369cfa7a74690d0dd271be4259b518c8d19ae27

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Documents\GetWrite.docx

Filesize
18KB

MD5
a09f76e8b2fc39e0bb5ae07bd82c1440

SHA1
49c4392d7a33470ca9c19851f1274ad73b09cd38

SHA256
3bf4be628ccb36d77693cf854b6863c45e640c1313335ee646b734b800056d35

SHA512
e625b37ef239cb3325f96237b407b3c2750c216d37278d5e0ad4af15b3b7351c735c86dedc7d953482d3a4e8072e1069214aa828ed448a8ac07945d58a6a3f8c

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Documents\JoinSplit.rtf

Filesize
764KB

MD5
7bdd36fa466582fea166e9d06e83b2d6

SHA1
81a45e850b50cf9602602b07e9808c13f67c49e5

SHA256
423c799060e8aa39486150a1638cd6bc5ffe4bfa9f1db475d92f3bf49468c2ce

SHA512
19d6499e4e486f88252402ce203f12578e7df53360a9d27fdb02f04d35a85ffe68d4c55fbbfb9e0cbd70c32798d379362a0a4e78c04d0d9f30d6bf99a12920da

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Documents\MountSave.rtf

Filesize
287KB

MD5
b89ed180868616024022949b526065d5

SHA1
7f5217c5ef8807bc6dec0c74140186a0523a65c1

SHA256
8832cf5cba843650dc87d10c8cc9c5dd0c25cc5f89c8f6009d76debf9465e13f

SHA512
bf27e6bb2a982ed9e1376d86ee6828be7314f62cb1a43538eb12afdc200fb493a9cee30966df708af217ef5831403fe9c312567951fbc727e929e4dd3cf68eba

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Documents\MoveUnpublish.pptx

Filesize
445KB

MD5
105d6cab32b60583c18890d25a7e0128

SHA1
6710b8c24758ac5777beff5b572f13e668cf306b

SHA256
065c6266ecb22fcffff431575e9b31f302c0536b85fb7bbdd2d8161baf49c40f

SHA512
76ae8412166080ecba59534dd925118c4430604399d86e075cb279171e01d91b03dd845c7ff4bba886f7a2c331387088d33b6092343a7537384002ebc46837b1

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Downloads\BackupUnpublish.html

Filesize
1.1MB

MD5
afa49186ae96f47f3064bd5665850255

SHA1
39d4ca563fea249a70c00037cfae6f445f6a4b05

SHA256
a33fb4c4ec04084051a3132d01fae70ae2889c11ebca8c36f9da4ee58fb67fca

SHA512
ff8a2b7e72e3b3401e1d9b7021b4bbfb31428fab5eaf184164f0625d86b33fdad0d26b03ffe6f4c894952c60f21cdd601ccb83288a1aebb5968e96f21bfaf35d

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Downloads\CopyRevoke.css

Filesize
586KB

MD5
9c5e6d96adaf7723982b93b8d012daf7

SHA1
43a2a03df53a95485e4bf12287286ea64927406a

SHA256
1f2bf47fe96266ad8d905621ee43cd1d861b544743654f814f0f1234528385d7

SHA512
b8fe46e9313b16dbec00ae3052002307acc84c9cde205db844a0ed9bd563673a86ccf3c83555313c3cdfba57cf01fe53dba2c822cd0f2632cd1e294011c49d85

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Pictures\BlockConvert.jpg

Filesize
666KB

MD5
6cd4ff9c3d04898a317ad1b32f5c46e5

SHA1
166975f6924cab88328539dfe5cb87b9538b69a9

SHA256
b82bd875af274c737cbaccd588daea4538ea8733ad4f16e754e63c379dc1ef62

SHA512
c19f2a09f6092a7ae147da8b5f4e9ad79433a77ce022cfcc7e41e139826fd75ec2dc0fd0a9bd52eaaf1e83a4aa827c3fe4279cbc6b7fe45335baa66e83eaae53

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Pictures\ClearUse.svg

Filesize
723KB

MD5
c19a47653a8f4520d216c6aad3acb948

SHA1
5cc802460c9d9455c09b4388f99b14c67b6e69a1

SHA256
d34fb2cb26ea3d7e53ed46906b1844312de48e57bf7b0b216d2ab54d09335f2a

SHA512
c4d1b718bfb3b1badf16f703a9bd68b4371786ab7bc0e7ea739b6dda94777fad22d11068b057dcb07492a18e94261770b031f67537e8bd93c41d4d6084e86151

Download Submit
C:\ProgramData\BCXRJFKE\FileGrabber\Pictures\ConfirmTest.bmp

Filesize
297KB

MD5
8e59e4edb7fa6714cd05eae064b8a560

SHA1
294176b1d304b426a060bd681907f865e5a2964a

SHA256
c656d43290c6b02bfe8c1cd066e97861b86c9d334a97810fe46612bce09c3d4b

SHA512
3e9c676c818fc77f91470a243f7fc8e38e4f7bc35dbaea087f1a44ca9d56b9cb48bb83f1a51cf413f835c6718e53c6b74735f4fe327263df9e2a6f3942e92e87

Download Submit
C:\ProgramData\BCXRJFKE\InstalledSoftware.txt

Filesize
1KB

MD5
196da0a1f32dbc89b3b8ba0f391f8c48

SHA1
f0ff637fb76443adad85bfa1b929dd4280d0170c

SHA256
6d9ebf86f570df9b344ad896c4ebec1ee61ae4074c6dc9bfb3fffb7c1b59c9ef

SHA512
b3f34fdca34021a40e2cf42fa806aec7d92c9b870a782a6268d7ae0115ba33d7bf444c8cfcd0f6537da2a448ea51c37b4d1fe5f020cc2e86b4e0850bde850706

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCvIxNiV.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp419.tmp.dat

Filesize
5.0MB

MD5
1ee19e2b7926f5fe3b2c669eafca762b

SHA1
ac6f86c58787c63572e9bf99dcdcdeecbf8b9aaa

SHA256
efbaa7354d994796d970a8034fac797a6c3bd5e978c15430639ea0e3ea30c857

SHA512
204672861e515dbf41268bb1f2413192cc55a758f3165294e122d7a978efdf074db3e4a695b729fad873fc668beb7aaf1814ef43ec98d3a5e719fd0a02507baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp488.tmp.dat

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp554.tmp.dat

Filesize
92KB

MD5
6d9ead954a1d55a4b7b9a23d96bb545e

SHA1
b55a31428681654b9bc4f428fc4c07fa7244760f

SHA256
eab705a4e697fa8c54cdbe7df8d46c679df9878c327a003819bb2bf72d90919c

SHA512
b9422f770aa156c13f63399aae96d750f273a6db7c9177b725660aa236a04ca7c4e3bf64d394de3a1f1ec2ad49b60528023aee37b7c195ed70073c049980a322

Download Submit
C:\Users\Admin\AppData\LocalwCsRGYdPHX.exe

Filesize
1.0MB

MD5
c78e19b1b79ef2cbed3428f6d055a217

SHA1
34e1cca94e8a5dfee7825951e8d7d103fe24a94a

SHA256
f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31

SHA512
e0828b3c2e2e060ef79855de7bb3bf297ba1590b6f08784ad85cd19c090e84d5a50893a1d89a70aea13d48f7896b62d048447e7eb40a23ae8309f5207642470a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2234c6a464e8c463bcc648f98924c1c2

SHA1
3e072a69103afa2e6304fd0acf028262aa99ac37

SHA256
c9acf7955c6c4f081544d1f4ed4ab2c68c8bb049e29fbc4f9cf083abda9ef428

SHA512
00b02f5c84a2a45e5f6510e190322d6bb7a0dc20a4db24c81326ff1bae2bbe05418ef0a4c68e4f89ce9e1a154d0e4cd73fab3ed78b0cfc3f96ebdaf0251b3e13

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_LocalwCsRGYdPHX.exe

Filesize
320KB

MD5
f71e90cbe5a122796864f70feba51a50

SHA1
b63521622fbd176baddf513e2eb191f655880bca

SHA256
8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a

SHA512
001e5b02b5f28b2e9d8cff0baedbd5c21aa6da19f41629037438d39dcfdb6b1322c50571cb7a8fade72ed284d411919a6db319120c1d127df8488de95f7fd12f

Download Submit
memory/1976-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2076-51-0x0000000001230000-0x0000000001286000-memory.dmp

Filesize
344KB

Download
memory/2248-9-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2248-0-0x000007FEF5E1E000-0x000007FEF5E1F000-memory.dmp

Filesize
4KB

Download
memory/2248-8-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2248-11-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2436-187-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2436-269-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2436-317-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2804-47-0x0000000000B60000-0x0000000000BB6000-memory.dmp

Filesize
344KB

Download
memory/2876-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2876-41-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download