Malware Analysis Report

2024-10-18 21:31

Sample ID 240817-vtbmnszemn
Target llllll.exe
SHA256 8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523
Tags
stormkitty xworm collection credential_access discovery execution persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523

Threat Level: Known bad

The file llllll.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty xworm collection credential_access discovery execution persistence rat spyware stealer trojan

StormKitty

Detect Xworm Payload

Xworm

StormKitty payload

Credentials from Password Stores: Credentials from Web Browsers

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops desktop.ini file(s)

Checks installed software on the system

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

outlook_office_path

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 17:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 17:16

Reported

2024-08-17 17:19

Platform

win11-20240802-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\llllll.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
File created C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
File created C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
File created C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A freegeoip.app N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\llllll.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2684 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\llllll.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2684 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\llllll.exe C:\Users\Admin\AppData\Local\Temp\zzzz.exe
PID 2684 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\llllll.exe C:\Users\Admin\AppData\Local\Temp\zzzz.exe
PID 2684 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\llllll.exe C:\Users\Admin\AppData\Local\Temp\zzzz.exe
PID 4112 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\zzzz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\llllll.exe

"C:\Users\Admin\AppData\Local\Temp\llllll.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\zzzz.exe

"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 104.21.73.97:443 freegeoip.app tcp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 172.67.209.71:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 104.26.12.205:443 api.ipify.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 sites-sing.gl.at.ply.gg udp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp
US 147.185.221.16:6789 sites-sing.gl.at.ply.gg tcp

Files

memory/2684-0-0x00007FF8A6D53000-0x00007FF8A6D55000-memory.dmp

memory/2684-1-0x0000000000B40000-0x0000000000B6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 90feaeac1ed833652f5267124acd8293
SHA1 ba3fa9aa1c28e54d712bf8766234410d56494859
SHA256 a9ad869209d1344ab64479f2f1557291b97358451a4aa6d32da2f570de02851b
SHA512 0b29579c520bd59fddb14e50c2f4c7ab407ee6177cc2682461c1308f78bacfc151b5d3fc16c2b5b566fca40fdba683cf403b7efaa23fe3b9b5efec1ad0568042

memory/2684-10-0x00007FF8A6D50000-0x00007FF8A7812000-memory.dmp

memory/4112-22-0x0000000000B60000-0x0000000000B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zzzz.exe

MD5 de4824c195cf1b2bb498511ef461e49b
SHA1 f15ca6d0e02c785cce091dbd716cd43e3f5a80bd
SHA256 51813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209
SHA512 b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a

memory/4112-28-0x00007FF8A6D50000-0x00007FF8A7812000-memory.dmp

memory/2684-27-0x00007FF8A6D50000-0x00007FF8A7812000-memory.dmp

memory/4504-29-0x00000000744FE000-0x00000000744FF000-memory.dmp

memory/4504-30-0x0000000000820000-0x0000000000876000-memory.dmp

memory/4504-52-0x0000000006650000-0x00000000066E2000-memory.dmp

memory/4504-53-0x0000000006CA0000-0x0000000007246000-memory.dmp

memory/4504-55-0x0000000006A40000-0x0000000006AA6000-memory.dmp

C:\Users\Admin\AppData\Roaming\ASAAPRDB\Process.txt

MD5 575768b92bb5c9f41410b05ae94046f3
SHA1 cbc694fb1efe08212249b1363dfdea112e6927a1
SHA256 17ceaf3032c01ebdbdff98fc3063df35675443890b32973b34d2287371e3872a
SHA512 44360f25f6999b96acfd51f67dc3c5373b47b595cb74a1497e12e3bbad84388f2fa8ecb0edab10890e2d2ce8a2c354439005d28570c62d8409fc4d9e13a5067d

memory/3716-139-0x000002AECBA40000-0x000002AECBA62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n310r2tx.g2e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e8eb51096d6f6781456fef7df731d97
SHA1 ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA256 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA512 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 051a74485331f9d9f5014e58ec71566c
SHA1 4ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA256 3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA512 1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

memory/4112-191-0x00007FF8A6D50000-0x00007FF8A7812000-memory.dmp

memory/4504-198-0x00000000744FE000-0x00000000744FF000-memory.dmp

C:\Users\Admin\AppData\Roaming\ASAAPRDB\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Desktop\BackupOptimize.html

MD5 ab35baaf61d9ce9807adbc738a8c81ad
SHA1 3a6bdc74ff0f65d8200797d40c3fb128f403048c
SHA256 c876bba4111af795f85a150baedc28639466cffd5cb5034316a5080cfdcd988e
SHA512 2af996ce434a75452ea03415d93810e3d6ae4f99261b8c51f53449e7b6a90a0c43e1b3016a9b2a8bd70f32b9a730259f1dad8fd2a531a12ca2826e3cea271704

C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Desktop\ClearRedo.rtf

MD5 fb15895a56d7db04c964807d1b92a0cc
SHA1 76bcc9191b451e0c208298ad93981d05505e4fd5
SHA256 7192e2df6cef10cc961941f7839771cdcd68b91f42b8badaeb425a7ef74711e2
SHA512 5054efcef298b8bc6e8c92b5a031f9f763196afdbab5fbb2684a6e7f19f8d90cd5a7896d33cc2648d7f5f0b2ff31960d6a9131b75c70b27ff5a0da998374988a

C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Documents\CompareFormat.xls

MD5 c96fe54ec6643ab07909a470650f0bae
SHA1 fa3ba0ef1722a0b091768a9bd49828b6ed7eb600
SHA256 f7c5cbe52a0356affa83ed4bdf213311438540d0932a9e627b446cead27f7203
SHA512 e2d66eaf819bab7aeebd874a0e072a5ebde2ad1be1a48596e3972344bc2fb03dececefbd35a667ff90b3b139bbb32b8e7d19e98e43a1124bb2ea90718bf21a86

C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Downloads\DebugConvertFrom.rtf

MD5 901be9f307c00c8fb37b4e5e62435f45
SHA1 9fedffeafb4f4b5009edb96eacba4bcc4754220a
SHA256 03903c6ecf72c3bee185427170a8aa2fdd15f5a864cdbcfc30ba5f42201c618b
SHA512 1856b1e894391e14332582753856e80db66fa2c038b2cf41039a0971bbef8cc79ba6482cffe16807c8dbf65063cdacb9a197e0efd91aac7b7700700bc36dc390

C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Downloads\LimitApprove.pdf

MD5 0e2f98fb5db86680616609808b8eb3a7
SHA1 7a5212d446cf1af6fa1194ca99c77bfd0cefe19a
SHA256 c0913a3c22e67375889ba2e5415273cb417482a93ee87a982ea100b6ebc0751d
SHA512 a095e1d218a7362469beba6eca74dd1b55251e945150d0537d523cc9da3b30c42a71a552886c4a8f975a298016611810bdc4a12db753c67c33932cb7c66fc61a

C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Downloads\MergeReceive.bmp

MD5 eea412c37b56594c90dacd1c9a7dbf22
SHA1 1035e2aca1c82d12cb9078fb4b270fd7fdd01584
SHA256 3c3de7cbbc5819dc2686c412fe6eadecce527d76a689715dd131c79eff92320c
SHA512 55cf6272cb640fea23ba94e0d97c0f611070047acfbaa90b08ce4d1c0c7754de0dac8b7e1d29b7096208843dab9f2f89c79d2a274ba2c89c7b81dcaa2e88f39b

C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Pictures\FindConnect.jpg

MD5 5882078b25d2b68587d727a23f7105ec
SHA1 6af40a9125c6d42228dad7d723b8148c45ed12de
SHA256 b1602e22ac59993aa92ea18fd8751a5f15379c3e156f59ceabbf98f7ab47814c
SHA512 e1ca3bae013185a0fcd983c72058871a16db3b7191bba649d45200263979c927f09aadc9d77a49af742571ded4d0c1291f4c33cca48b9931e33e79761e098c09

C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Pictures\ReceiveEnable.jpeg

MD5 b76561855f3cdb932d41c25bde0afd7e
SHA1 a18dca64155f3a631d09176628da4c3663cacb83
SHA256 f84bf83635c570a241971b70445544cf8ff3d7104ea768c5e0841d56824787bb
SHA512 1c156c1519152ccc5e8ae7176811141fb859fd74c84f010196fb8121b96e5f43d3e1804dd93182146e535709e7348b75c86c8d46665c9b799594b7ad6b8ef42d

C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Pictures\RedoMove.jpg

MD5 cff1f9cee049e91376838ba3e56c6fe0
SHA1 875418bfb64f6bcb653b9f6b174cfa1a242ddcc9
SHA256 320222905b17077e1828092fa4e61d67d15c7fd5cb75abf00bb6164103c5642c
SHA512 439ebd25a14ec6daf8cb749981efef43939f69b6944b0e2cd659e6d59639978fa6d36d1129415ecea1fdad5bdb4dbb3346757f344c6893ac3cf60e1dfee19336

C:\Users\Admin\AppData\Roaming\ASAAPRDB\FileGrabber\Pictures\UseCompress.png

MD5 bce9a2a73c508af15bbe2e83e3c74f81
SHA1 38c8bfefe8deb75542ef370de8bbb25043b1bfe4
SHA256 ab7a2b5e6c48cff3218f234c3f31ef4b64952e14632ff6702982f9a66236706a
SHA512 bfe566b1f259b956256cfd3984e5ce05333c84f0da01c4157e785731b90d5b269457ea8cdcdeaa2dd22b4cf1d1ccfc16376161290d6aa21dbe0c6a8cf87ccbee