stormkitty | f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31

Analysis

max time kernel
51s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Size

1.0MB
MD5

c78e19b1b79ef2cbed3428f6d055a217
SHA1

34e1cca94e8a5dfee7825951e8d7d103fe24a94a
SHA256

f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31
SHA512

e0828b3c2e2e060ef79855de7bb3bf297ba1590b6f08784ad85cd19c090e84d5a50893a1d89a70aea13d48f7896b62d048447e7eb40a23ae8309f5207642470a
SSDEEP

24576:qnsJ39LyjbJkQFMhmC+6GD9c0P8j/svqA9:qnsHyjtk2MYC5GDzP8j/Mq2

Score

10^/10

stormkitty xred backdoor collection discovery persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023ba0-5.dat	family_stormkitty
behavioral2/files/0x0007000000023c94-65.dat	family_stormkitty
behavioral2/memory/2556-127-0x0000000000430000-0x0000000000486000-memory.dmp	family_stormkitty
behavioral2/memory/556-130-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty
behavioral2/memory/2016-725-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2016	Synaptics.exe
1644	._cache_Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Downloads\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\ProgramData\ZTSLLRFH\FileGrabber\Desktop\desktop.ini	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
File created	C:\ProgramData\ZTSLLRFH\FileGrabber\Downloads\desktop.ini	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
File created	C:\ProgramData\ZTSLLRFH\FileGrabber\Pictures\desktop.ini	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
File created	C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Desktop\desktop.ini	._cache_Synaptics.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	freegeoip.app
13	freegeoip.app
60	api.ipify.org
61	api.ipify.org
62	api.ipify.org
63	ip-api.com
7	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3896	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
Token: SeDebugPrivilege	1644	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3896	EXCEL.EXE
3896	EXCEL.EXE
3896	EXCEL.EXE
3896	EXCEL.EXE
3896	EXCEL.EXE
3896	EXCEL.EXE
3896	EXCEL.EXE
3896	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 2556	556	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe	83
PID 556 wrote to memory of 2556	556	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe	83
PID 556 wrote to memory of 2556	556	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe	83
PID 556 wrote to memory of 2016	556	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe	84
PID 556 wrote to memory of 2016	556	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe	84
PID 556 wrote to memory of 2016	556	f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe	84
PID 2016 wrote to memory of 1644	2016	Synaptics.exe	85
PID 2016 wrote to memory of 1644	2016	Synaptics.exe	85
PID 2016 wrote to memory of 1644	2016	Synaptics.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
"C:\Users\Admin\AppData\Local\Temp\f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Local\Temp\._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1644

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.0MB

MD5
c78e19b1b79ef2cbed3428f6d055a217

SHA1
34e1cca94e8a5dfee7825951e8d7d103fe24a94a

SHA256
f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31

SHA512
e0828b3c2e2e060ef79855de7bb3bf297ba1590b6f08784ad85cd19c090e84d5a50893a1d89a70aea13d48f7896b62d048447e7eb40a23ae8309f5207642470a

Download Submit
C:\ProgramData\ZTSLLRFH\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\ZTSLLRFH\FileGrabber\Desktop\RestoreGet.doc

Filesize
365KB

MD5
8247a75120234efab2a0426377c12b17

SHA1
02b1fd77344ca394c22f9080084d7e272515235f

SHA256
07f159d8e7c5f03ed27679514d276d2b975c858c358f8c63d711f62257144460

SHA512
9bd1a3aab723a88abf078c1dae16d4d4a3cb08ec1d82a616a98a6be1fd0eb9d77c092ded695aec69eeb459944416780d69534547bae660fd789531d9b375364c

Download Submit
C:\ProgramData\ZTSLLRFH\FileGrabber\Documents\CloseOpen.ppt

Filesize
920KB

MD5
1dc3378fb6c60f069ce51db187377a57

SHA1
b032c3bd92b99ab367d388814e4bfda0d9cd3840

SHA256
63117825d429fab1028878392d3c4c2d06bfcbae15636ce98d14c39339a1e384

SHA512
b27f7d86f19b44961d0b09ebf2f6707f9356ad8c6c43f93915ddc7afc10538d90f4e1664efa963354611e4b85a5c3213762edee74decef907ac1e6d49cc241f8

Download Submit
C:\ProgramData\ZTSLLRFH\FileGrabber\Downloads\PushEnter.txt

Filesize
383KB

MD5
8d33fa9324b07d82b91f1aed6a8606f8

SHA1
b1d3db131a536c54de5a38e6f9a8808a5241d3a9

SHA256
e4785163152da0f0e1d8ea4c5f9002effc111ab0cdb0044437e6646833ea761e

SHA512
21eaf03870d3d2ed00a81dc91deee688437147637861ea1c489732ff34ed8888c46d6cb84262ad6e1a100b750f4ada7b054059440d2a454e60e214ed9bf44132

Download Submit
C:\ProgramData\ZTSLLRFH\FileGrabber\Downloads\RequestHide.rtf

Filesize
549KB

MD5
14776f89052bbbecff95deebd1e0a9d5

SHA1
8f2585848965904b5a2fe0de78e59ce871e59d34

SHA256
5a463e83ebdb2ce162d1539f3b1e2e146b5b51138f65ff216845dd9edbd73a8f

SHA512
fbcb9e7756dc7f8d1b4c2eef6bbfc78a4edc96599f2e73929a1645132ea05250d7e46fad64101ec3d912a7ca684e26a9ceafc066bcd5082dedde068667c1cf32

Download Submit
C:\ProgramData\ZTSLLRFH\FileGrabber\Downloads\UndoGet.png

Filesize
353KB

MD5
ed22286c4f03d86a412d1885928f7462

SHA1
7e959bd0747cd8d438ee3a91355bee61c852e05e

SHA256
d7edde4e514f0164123e04e80c9dc00e4f0b52c9ac7403471f00bc60ce19eb2d

SHA512
14e0eb8d32bd545528795f6e339a8d456a8bb39e75e004fb7fb710e003709062144b7b1c1381c5c0e56809a67a6cc28877d218578b0fd63b2955405e73539896

Download Submit
C:\ProgramData\ZTSLLRFH\FileGrabber\Pictures\MountInitialize.jpeg

Filesize
366KB

MD5
b177114f26638084c117433c3e2ff07d

SHA1
383cb563d47ebf34233583073c0c3dbf0aee4992

SHA256
63bec39d9578604f181f88d0cca4633441c60c87a0c3fd9d5a7b3ed471d5c33f

SHA512
81319df0b63fc454cebabd997c940cb91a440fd30c902c6cea271164eca9a7986a17feb42db857e7153c723902cdd14ee6053dc7a16750c62025f50e5e2cb25a

Download Submit
C:\ProgramData\ZTSLLRFH\FileGrabber\Pictures\PushWatch.jpeg

Filesize
653KB

MD5
c05798098af4ceb962107078673477e3

SHA1
228dc4456af548ce6ebdc17a28b0cd2fff3c73fa

SHA256
dafa48237c64ee33664d55fa1bd91e470ac5937c171f8c4d0f1c159924c0d7e1

SHA512
c796c3e79bf8168c5157dfffae6437ede28425d77233667baf555703ba56e9cf7749250a7a1dc79eb4c4c43a0522525bb67c16a17cbeea19b795639afb416869

Download Submit
C:\ProgramData\ZTSLLRFH\Process.txt

Filesize
4KB

MD5
04154961e7109a88b4c3627a6104d6a2

SHA1
153cae6d72bf50fcace82186070399367dcca521

SHA256
e417957ae15c4ea5b69737b15ac46c964dd8ea5ff48fb26ba0b7d69ce5b343dc

SHA512
439571d2a85896291c4d5b7ff65613f77c2ee1598616351323d2cee580d22a4d44431d53762a73947090481196b4490a2055b49f5b8e919cfc074e96afaa023a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31.exe

Filesize
320KB

MD5
f71e90cbe5a122796864f70feba51a50

SHA1
b63521622fbd176baddf513e2eb191f655880bca

SHA256
8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a

SHA512
001e5b02b5f28b2e9d8cff0baedbd5c21aa6da19f41629037438d39dcfdb6b1322c50571cb7a8fade72ed284d411919a6db319120c1d127df8488de95f7fd12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EA75E00

Filesize
20KB

MD5
75f999ee38490b3df84f155374b26352

SHA1
01aabeb1e74551878681a0f8569dce78b9a2a106

SHA256
5e333828107bff74d52cce835ab77e8255f03bc888c3920c9bbd0f3f84717255

SHA512
5c9a8ddce7b1ebc7ca137914faf628d9bf006790aec6182187ef35ea1c5da4e8651c7b305840d2b99a660dba573035ce5df7aff98e9d6ee73965a329d520339f

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
6567b8bf6394c215fc0164bdb6be9d49

SHA1
361068a8dbe48dd3f79de190a1fa507768970d5e

SHA256
5f5f264f10158983fa4ffabe7ee45293176979610d00594d19dccff33cd6f152

SHA512
0d2ae07e2b3f31e4cb9cfade4c7ea764d8f0da6042d3c09892720f8339ee32367cf566d9b8484b5adb7fe36d6ecca5d5d8d3c0418f5bcc45f6c437e54f6bd898

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5mIt5cR.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA935.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA50.tmp.dat

Filesize
114KB

MD5
2ba42ee03f1c6909ca8a6575bd08257a

SHA1
88b18450a4d9cc88e5f27c8d11c0323f475d1ae6

SHA256
a14fb57193e6930fa9e410d9c55dfe98e3ae5e69b22356e621edc73683a581bd

SHA512
a1f32c22f0d78cba95c04c432e2a58ea47fb34942e70bfdceffcc2ac1e91b87a3da2cd9f93793427ee09a623c7da700e1c16977d41a44286317e8fc20502f035

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD7E.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\Browsers\Outlook\Outlook.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Desktop\ConvertToNew.xlsx

Filesize
470KB

MD5
6c2acda4594df903df2c4dd81e615362

SHA1
9916ad256337b4b497c3ff0aaf6047e8d5ac412f

SHA256
0cc8be499216b786e64cf751362240061a78bf1732001903629a2f447a8c1755

SHA512
10c6ea462c8396eb117349e2e5b979db7e81df48e499bcbbff2b555356d42924861e25f6703f7abda7dfa6012521971ab7e5eeaf90ddfedc0f88ba59139a7924

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Desktop\NewResize.css

Filesize
219KB

MD5
085e9472e25f40347b405e60a977ca98

SHA1
d6cfda184dcf0495917548a0c8b876686b59caf5

SHA256
36ba080a13088373b7a5351e79b42c0a2d1643f7b5b3ade8b1ef60234f7fb89d

SHA512
e305b5886d7b94f127f8a2513c7a2f53e574b5d9121929f50398d2f0dc3ea637a6b86d523b84d262967b3fd43624f138aa2d5e16deb94a6daa70003f8ba92e8a

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Desktop\ReadFind.docx

Filesize
18KB

MD5
d7ad007f7bb870d476c6b5d5d6bc96ec

SHA1
76da389027b384fb4654f297a625f45ca106ff47

SHA256
4c808708443ed1e766045b629e42a677792626b9ade44fac91ceb6d94ceb37cc

SHA512
3f77af4cfb7a8590fc5ce8cf57cbdc76359979ac40687dd66c6c29ef11aeb4aaf20b17d8611f0fa4c3c3edc763c8c53ea5317fb5763f6fd5b0ebb3ad11a1806d

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Desktop\UndoRepair.docx

Filesize
16KB

MD5
92b0e90f83fdc3d543c73b930223aa6f

SHA1
0d5971341a83b209896328b440a254fd3e0ed120

SHA256
5b9e8da304a38475a07a7ca341a85b0783082d0e0b0932ae3a53249c3cc0004d

SHA512
19dda8967c362f009ec3ea3d9b8078ee18ecad1c6a4a606d6960eeb65fe6b4fd8b3a7e4948a22e1861ebec56399aee093124a5ff55d2a1e5b0c0914c577d1e7d

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Desktop\UnpublishCompress.xlsx

Filesize
10KB

MD5
f92908c755cc3605122169b4e2280280

SHA1
0aa83959abda1fd5e54792f0fed58922696ba001

SHA256
4bc1c9f753a730e9997db60260de252d07cb918cfd6c8ba59d04f597104f96e1

SHA512
cea4e3f6a175de9d547434fdad74a0571a5922c6434484558d51abb2c3472f5f656170e397d171b03413257cd06d4e02f3151598f6f13b4064c86ccb633cf1a3

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Documents\ConvertFromOpen.pdf

Filesize
476KB

MD5
118b64a4afecb4a6ebb75c22ff017028

SHA1
35ea5fc2875a93b6dd0a3e77ca088e8d2b22fd19

SHA256
d7b9c422c5a4308ec815334986ca838da33a5c9eb30fd59cec6b03caa801d109

SHA512
43b33c3445e84da5c93f2e3daa3746ebe23713481fef12d70c5bff2d4af0aa2c6f154afcf5265814d08b4a5099a00aae5843419f0b0db3802e1d5db7fc827437

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Downloads\CompressHide.rtf

Filesize
278KB

MD5
b724a61ac365000970868ab0c61c66f9

SHA1
5a0ede248eae1fb016af679b7b4e21db198ef628

SHA256
681b49c175dab3b6e4130e62d8fc5829f41208f13f5e4a0358ee6a09b53e0d88

SHA512
81e75dc973ed2e9232639f492c01d9e5808e2644e583e2e57bdc4b608f1b2b0ecfda1f9537436b6796a7631e343a8805998c5320d6e689c58fca40fe7ca47c89

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Pictures\WritePop.png

Filesize
526KB

MD5
9a30d37c49c14e7472da01e771675a36

SHA1
cd90daf189709ed049cafc1a2ce61b70e170d982

SHA256
aab2b7edbc99405cfdcd572709bbe04c3e0fe9bc8115837d1876960965ba6922

SHA512
bd8097892626ee4a7261d094c7a621e8a1db429dd9044ea6d849b583e385b6d54ca4894faf9065cefaa64a87adb3de423ad5302192a31967f1dda5150fe5256e

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\FileGrabber\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\InstalledSoftware.txt

Filesize
1KB

MD5
bca4ee4b0d73edf2835ac08ab38d1bd9

SHA1
a833d7663f5edecc050b37b7efd1d563268ea0df

SHA256
0face1d1c4bdf8e8f16c7fe99e2a6150cd6f60dc20396214288a585f870f3e5f

SHA512
48fa5f3b545f470146fee34c87b7268eb09ca7944d8bfea9e9fa2a14f4f934ec3b91ae4d302f7248b797bd5e0562b8a567f5ca3bce241ea8c3493bbe3310bce2

Download Submit
C:\Users\Admin\AppData\Local\ZTSLLRFH\Screen.png

Filesize
420KB

MD5
e927ccd318beae35280a715dbcf8eca1

SHA1
b97890888bad5927d0dd4fb31104e7849d443f5b

SHA256
739b5b1cdf163394aa8e5ec7e680b0e38e43f2c399d079d8f90aaacb87364006

SHA512
d3843c6ab9f2f786a4ae8ae57b03e0330392bc13b3c0aa5695b3c7cfde16eeec324fb7668c7bccab077d13e5605da3ad5945061e2672f57088aa83c4cdd348e3

Download Submit
memory/556-0-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/556-130-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1644-269-0x0000000006C80000-0x0000000006CE6000-memory.dmp

Filesize
408KB

Download
memory/2016-132-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/2016-726-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/2016-725-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2556-552-0x00000000722CE000-0x00000000722CF000-memory.dmp

Filesize
4KB

Download
memory/2556-131-0x00000000722C0000-0x0000000072A70000-memory.dmp

Filesize
7.7MB

Download
memory/2556-795-0x00000000722C0000-0x0000000072A70000-memory.dmp

Filesize
7.7MB

Download
memory/2556-112-0x00000000722CE000-0x00000000722CF000-memory.dmp

Filesize
4KB

Download
memory/2556-256-0x00000000067C0000-0x0000000006D64000-memory.dmp

Filesize
5.6MB

Download
memory/2556-254-0x0000000006170000-0x0000000006202000-memory.dmp

Filesize
584KB

Download
memory/2556-127-0x0000000000430000-0x0000000000486000-memory.dmp

Filesize
344KB

Download
memory/2556-553-0x00000000722C0000-0x0000000072A70000-memory.dmp

Filesize
7.7MB

Download
memory/3896-247-0x00007FF9B7BD0000-0x00007FF9B7BE0000-memory.dmp

Filesize
64KB

Download
memory/3896-238-0x00007FF9B7BD0000-0x00007FF9B7BE0000-memory.dmp

Filesize
64KB

Download
memory/3896-236-0x00007FF9B7BD0000-0x00007FF9B7BE0000-memory.dmp

Filesize
64KB

Download
memory/3896-237-0x00007FF9B7BD0000-0x00007FF9B7BE0000-memory.dmp

Filesize
64KB

Download
memory/3896-248-0x00007FF9B7BD0000-0x00007FF9B7BE0000-memory.dmp

Filesize
64KB

Download
memory/3896-255-0x00007FF9B5270000-0x00007FF9B5280000-memory.dmp

Filesize
64KB

Download
memory/3896-271-0x00007FF9B5270000-0x00007FF9B5280000-memory.dmp

Filesize
64KB

Download