stormkitty | f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31

Analysis

max time kernel
51s
max time network
36s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Size

1.0MB
MD5

c78e19b1b79ef2cbed3428f6d055a217
SHA1

34e1cca94e8a5dfee7825951e8d7d103fe24a94a
SHA256

f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31
SHA512

e0828b3c2e2e060ef79855de7bb3bf297ba1590b6f08784ad85cd19c090e84d5a50893a1d89a70aea13d48f7896b62d048447e7eb40a23ae8309f5207642470a
SSDEEP

24576:qnsJ39LyjbJkQFMhmC+6GD9c0P8j/svqA9:qnsHyjtk2MYC5GDzP8j/Mq2

Score

10^/10

stormkitty xred backdoor collection discovery persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 6 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120fd-4.dat	family_stormkitty
behavioral1/files/0x000600000001949e-14.dat	family_stormkitty
behavioral1/memory/2532-27-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty
behavioral1/memory/2680-28-0x00000000002B0000-0x0000000000306000-memory.dmp	family_stormkitty
behavioral1/memory/3052-66-0x0000000000BB0000-0x0000000000C06000-memory.dmp	family_stormkitty
behavioral1/memory/2860-277-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2680	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2860	Synaptics.exe
3052	._cache_Synaptics.exe

Loads dropped DLL 10 IoCs

pid	Process
2532	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2532	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2532	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2860	Synaptics.exe
2860	Synaptics.exe
596	WerFault.exe
596	WerFault.exe
596	WerFault.exe
596	WerFault.exe
596	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\ProgramData\XECUDNCD\FileGrabber\Downloads\desktop.ini	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
File created	C:\ProgramData\XECUDNCD\FileGrabber\Pictures\desktop.ini	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
File created	C:\ProgramData\XECUDNCD\FileGrabber\Desktop\desktop.ini	._cache_Synaptics.exe
File created	C:\ProgramData\XECUDNCD\FileGrabber\Documents\desktop.ini	._cache_Synaptics.exe
File created	C:\ProgramData\XECUDNCD\FileGrabber\Downloads\desktop.ini	._cache_Synaptics.exe
File created	C:\ProgramData\XECUDNCD\FileGrabber\Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\ProgramData\XECUDNCD\FileGrabber\Desktop\desktop.ini	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	freegeoip.app
37	api.ipify.org
38	ip-api.com
6	freegeoip.app
11	freegeoip.app
13	freegeoip.app
36	api.ipify.org
40	api.ipify.org
41	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
596	3052	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1064	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2680	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2680	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2680	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
3052	._cache_Synaptics.exe
3052	._cache_Synaptics.exe
3052	._cache_Synaptics.exe
2680	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Token: SeDebugPrivilege	3052	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1064	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2680	2532	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe	29
PID 2532 wrote to memory of 2680	2532	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe	29
PID 2532 wrote to memory of 2680	2532	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe	29
PID 2532 wrote to memory of 2680	2532	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe	29
PID 2532 wrote to memory of 2860	2532	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe	30
PID 2532 wrote to memory of 2860	2532	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe	30
PID 2532 wrote to memory of 2860	2532	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe	30
PID 2532 wrote to memory of 2860	2532	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe	30
PID 2860 wrote to memory of 3052	2860	Synaptics.exe	31
PID 2860 wrote to memory of 3052	2860	Synaptics.exe	31
PID 2860 wrote to memory of 3052	2860	Synaptics.exe	31
PID 2860 wrote to memory of 3052	2860	Synaptics.exe	31
PID 3052 wrote to memory of 596	3052	._cache_Synaptics.exe	33
PID 3052 wrote to memory of 596	3052	._cache_Synaptics.exe	33
PID 3052 wrote to memory of 596	3052	._cache_Synaptics.exe	33
PID 3052 wrote to memory of 596	3052	._cache_Synaptics.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
"C:\Users\Admin\AppData\Local\Temp\f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:3052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1832
      4⤵
      Loads dropped DLL
      Program crash
      PID:596

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.0MB

MD5
c78e19b1b79ef2cbed3428f6d055a217

SHA1
34e1cca94e8a5dfee7825951e8d7d103fe24a94a

SHA256
f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31

SHA512
e0828b3c2e2e060ef79855de7bb3bf297ba1590b6f08784ad85cd19c090e84d5a50893a1d89a70aea13d48f7896b62d048447e7eb40a23ae8309f5207642470a

Download Submit
C:\ProgramData\XECUDNCD\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\XECUDNCD\Browsers\Outlook\Outlook.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Desktop\BlockEnable.xlsx

Filesize
10KB

MD5
5d9d26dca2285d1feb5ec2cecc0170d1

SHA1
d770a1e9a33e9e887ad5f27f2abd96601132eb46

SHA256
c8329f3dec16dce63d279ba55915fbcddcef835eeffdf5c9bb42614430748edf

SHA512
12834937299194da0b9b1dbf0a4f94d7e75d459fe5c81f86024c5bead0cd245db8c92a9d356935131deffa203f470c2ffe3764f3d687bd487337d96054907cee

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Desktop\BlockMerge.jpg

Filesize
504KB

MD5
133cc12f0361903295a9ba4ed303c992

SHA1
91a7cbe45c3aabbc261b5296cf3911e7517a79cf

SHA256
8b28f94e0603d05ee141820c109bb11ae68a34fb65b49c36450ef7d47e1617de

SHA512
a526377177a45c7a9cd5d2b9315ec73f8c623344993cd33fdb15be2818e6da49e490e157344b0f6517d70a4a74cab5dfca5f8a5ecdda2a0941207d50eeb50ec3

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Desktop\SplitRevoke.svg

Filesize
245KB

MD5
88846655bca992c901300a4fa1df99aa

SHA1
ad5919b579dfa5209e7cfc915652d9db7fe8bf42

SHA256
d917938b30c74d421d45bcf735ecb8852e6d9f0256be10af199dc57af1a3fe21

SHA512
650edd737f56d7acfcd4beff4aa96a7e43ccd499b79714386f588afc69cba01778bc697c422cb2e00d0956dc467dba2c09df166fda784ad6c1bfbc9477b0192f

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Desktop\SubmitConfirm.js

Filesize
477KB

MD5
c3c40a6167da687490f562ddc0a6d59b

SHA1
5e1161e79d2390a61ccb278a7380e52f4a53988e

SHA256
dc5ce738b4858a762d5a5d38d185a6aaa776cff1d76b7a3ec7733d114cc4a414

SHA512
e72371bec00037afb0f3e09b60aac313e32213c01cbb71a5a947fb063abb0956e13eadd1e72a48814f8495281a5027da22ca256c4151d5ba65d918cbabcb8e62

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Desktop\TraceExit.docx

Filesize
354KB

MD5
9b2b02727f34bb0769eafa76ba87f882

SHA1
e2b376877b062bdc610d2f7627ccd73009891df1

SHA256
8f3b1972a8335b75a0f39400e7452d155cde87a656a125b2c6a8f8cc24e380e5

SHA512
84370360f11953bdfe1a48c20c2f1dd6c3701e3377df1f94d752384148524ca60ee310cc1a36ceaaa455865cc77b8ba7a37c75785ed4cd72cc771b4c38fdda3b

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Documents\AssertConvertFrom.xlsx

Filesize
706KB

MD5
4909c370517814e52a5aa397afedf39d

SHA1
99c387803f1d1ea0eeeae28e2a37501576c5f025

SHA256
025bffdab2c0880f88c4ab0889032e8c433551474079bcd40a72b505a3cce832

SHA512
032cc87486935060c8f984fbef13c19be23ac7013c3bab7e3574db7e26de82b1507e9853e85549cd0447f4b97d820534feb40599e1d603e091747666aef41e29

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Documents\ConnectHide.txt

Filesize
933KB

MD5
58d93c9bc069f5b68795e48e391210cd

SHA1
88794f5f0b8073ea13ca499aeb6c7c183ed9a44f

SHA256
2eefc8b6675198a7f4207ca8b6d61359dbeafd444cd5edf196fc9074045570ad

SHA512
7afcdf24fa402a59232e3e5873d23676131042837552cce06e9cd19e5d510d89659d9a99f07346ccd1218edeb1fb02b51dc93e2ad784ac0321840fd25d148c81

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Downloads\ConvertFromCheckpoint.bmp

Filesize
662KB

MD5
032e0d28790934251e7579936ad64424

SHA1
ea46711ff5603e3d44b94dfd3ee5f2fa3985cc9d

SHA256
651c0cdc860f66465cede9673fbc403db6c73eb02a7f32ad493fbeeba5d0d0ca

SHA512
bb1f60e85e7c3b955727341e56ff02c8b25889b388ac6804aee767f6f5382b471ef9a030617ab9c5e1d11de52ef25e812ed742c41749221a6053b2ad5ebf45d7

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Downloads\DisconnectExpand.xlsx

Filesize
341KB

MD5
b19cbfce64f9e363eb95413f203cefea

SHA1
9dfbee527b752f907ff2c5b3a5f88366411e11a4

SHA256
369a7cdf5c9709edeaaa0ab30a8e302c3a1c21a2b5eee5b22f1419c5f24e1bcb

SHA512
c591eefde1421ebd4ee22f8e2a1b7f1278197b397de10871a4bc2a18d5ac5197918f9c6a0a2bac5ac84f1735ab8dcd1d85d55987aff4b4d8cd412e491464609d

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Downloads\DismountConvert.jpeg

Filesize
260KB

MD5
f39363f151121ab9654f96a4cff979b0

SHA1
198cf67fefb4370b2984617d64a0595829f28f63

SHA256
ae6e27479aee58868758c53fdcbea7208a90364b8d0905f515b504766401208e

SHA512
811835553e429a4d4128b68491be0e8aa49970a000a185072610cb0e92f6d54168726a056918385cf92eb50137883ab123b232614ce174653ad7fb2e633faa91

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Downloads\NewOpen.js

Filesize
367KB

MD5
dde521bb0dde9929a2d20da55a11b6d3

SHA1
6edc6d064d092b2b85d5aedc645db8c5e3a109cc

SHA256
2db0d9bf1dc8342a7b8cbb44b367ca6d9fa6db2ed96981d97c91446497c666df

SHA512
f0783b6988a1f9e883c75eb8946e72aa1639fcac3d552fda352203c2c1e7bebaedb9a67cad1df16b47a1c46f0078dbdd7ac32897b7599bccfd677fc700446819

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Pictures\AddConvertFrom.svg

Filesize
249KB

MD5
2b097c40db8788d21d0affaecc10e3ca

SHA1
b97d40cc64a20129865201b6fe344757c5da2272

SHA256
608b7d58c33ee53b016f11843a5b2f09e2c2c55d6dcf96650c5fa0176e18b877

SHA512
5543dd27e2962ae4caa11417ab2d66e8caf94fe1cf0c7d3f7551ae04531bd0edfb86c6fbf90c8e9330a6e178de59895321d40527aa85c29de51e976ab2a20551

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Pictures\AssertRedo.svg

Filesize
390KB

MD5
dcd2f05ebeef504466b35c9d85e7d296

SHA1
db6acdf7dbf0f7b57a22afb91bc1b9492f38b2ab

SHA256
42cbab4c30c08d94f9b8ed9076b83f8a7b82c21312105f3317e4b40c85dfc423

SHA512
77c304ae85925c021e4084271888edd97a3c4ac206c47f2f003831db820c8b8c6255291dde6b55fd456a8296756c4ae11c96b9e6717d07856202da6770261f17

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Pictures\BackupSet.svg

Filesize
234KB

MD5
55ae982f2becf7563de90a6810946d2d

SHA1
08da125e704f9599f7958211cfeac8f8da7b36f7

SHA256
853e9588f46e8eca260a224f59f0637ed5fce968ed8438c533e6f8a8752fbbac

SHA512
7dfeb9dba39e758cef57d59900eda896867cda533ccd63e2d1a7c86b3f6642253318d181576bf9b54756cc0d24fb9f77b1fcf519a4c05003fb588e73e212a34d

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Pictures\CheckpointMerge.png

Filesize
179KB

MD5
e5af579a7f24b96a8cd16c3841e8232e

SHA1
c75df48bd8a54e3b1fb117f472a82cdb0631c930

SHA256
5bbd7a397c5b2301c88d92f28204338bd5a8930537dadd5750477454b73daf73

SHA512
31561db5955f7668849231fce236e665920ab5d9af56daeff38a9e14b44e9e6690d84e2e237740467b4316a83c75dd27618b8431b494c359ad367204165bb116

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Pictures\EnableSave.png

Filesize
210KB

MD5
910dd0db80756aaea3015c073459a83d

SHA1
ff3da4fc7e79ffd6e89ca728be04aed5ba2e24aa

SHA256
182bd75848240836dde91606e7a924bad5613c3391dbb264f12ee17d8d854367

SHA512
f5b2bbf6e78630612a3e2bfdeadf33ec3b8b6145c4f4ade5b95972b4bdfb49a21921bb8ddb5c142efa563e834d1631c0dc509afd64be92f7f1c14495c1afc79e

Download Submit
C:\ProgramData\XECUDNCD\FileGrabber\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\ProgramData\XECUDNCD\InstalledSoftware.txt

Filesize
1KB

MD5
196da0a1f32dbc89b3b8ba0f391f8c48

SHA1
f0ff637fb76443adad85bfa1b929dd4280d0170c

SHA256
6d9ebf86f570df9b344ad896c4ebec1ee61ae4074c6dc9bfb3fffb7c1b59c9ef

SHA512
b3f34fdca34021a40e2cf42fa806aec7d92c9b870a782a6268d7ae0115ba33d7bf444c8cfcd0f6537da2a448ea51c37b4d1fe5f020cc2e86b4e0850bde850706

Download Submit
C:\Users\Admin\AppData\Local\Temp\JqaB7Nya.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
af9e56908227f0906f26d423ce133f66

SHA1
aa387d2516dd55e51b35a29b9d5570dec8458d08

SHA256
5773a7a9ff44dd3f2de1b9ef615432007ac74a6023f97f799c605a7cbd7d40c1

SHA512
db08817c422ac60bbd98073140b9587039bff6c4d46a29ca3a64090c8fafab936bc625ab23b1da61ac4fcd3353fa0ea68a357497f02d79c799b733d85e35e784

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E8E.tmp.dat

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8EBE.tmp.dat

Filesize
92KB

MD5
882ec2bb4bf46a0ee80134f7b7b5d2d7

SHA1
4f76f5db450eb1a57199f5e0bb4bb6a61b4a5d7a

SHA256
a101a238346d9df0fe89b33f45436042d92878d75c5528ad0b8e201b91db0402

SHA512
eed22fb4d714d6c438760378912286d41f4f1e1ad27d62240fd9fc3c304831567e552e2ffe2524a0869d57a0fd7c6494a1fbf1e0d8eb78f58a052be3a3c4caaf

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe

Filesize
320KB

MD5
f71e90cbe5a122796864f70feba51a50

SHA1
b63521622fbd176baddf513e2eb191f655880bca

SHA256
8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a

SHA512
001e5b02b5f28b2e9d8cff0baedbd5c21aa6da19f41629037438d39dcfdb6b1322c50571cb7a8fade72ed284d411919a6db319120c1d127df8488de95f7fd12f

Download Submit
memory/1064-72-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2532-0-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2532-27-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2680-18-0x000000007395E000-0x000000007395F000-memory.dmp

Filesize
4KB

Download
memory/2680-28-0x00000000002B0000-0x0000000000306000-memory.dmp

Filesize
344KB

Download
memory/2680-278-0x000000007395E000-0x000000007395F000-memory.dmp

Filesize
4KB

Download
memory/2860-277-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/3052-66-0x0000000000BB0000-0x0000000000C06000-memory.dmp

Filesize
344KB

Download