stormkitty | 8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
15-02-2025 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
Size

3.5MB
MD5

bc94fb14f22e7bdd8925899e3df74a9a
SHA1

2f9766d357e3b4769e211d0b78ddcb63c4665a9a
SHA256

8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55
SHA512

01fdc03786790f24de77ead2755b598fbf5508f416f145a65c43ebbb12e6567dd5a9cb4c583fc4dccd271cd14c2eb9a88d4f6c55591525ec884c2f138e350254
SSDEEP

49152:0I4JBgBnW/0bDlCv2smtkHbtnWYbRyU8jaQmJ2ip0goEfCTEYClGWS1bQIRMgpN4:07JF24DmIbtF69mJ2ip0EfxFlGHdRMG

Score

10^/10

stormkitty collection defense_evasion discovery spyware stealer themida trojan

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral2/memory/836-10-0x0000000000400000-0x0000000000D70000-memory.dmp	family_stormkitty
behavioral2/memory/836-11-0x0000000000400000-0x0000000000D70000-memory.dmp	family_stormkitty
behavioral2/memory/836-335-0x0000000000400000-0x0000000000D70000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
85	4912	Process not Found

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/836-10-0x0000000000400000-0x0000000000D70000-memory.dmp	themida
behavioral2/memory/836-11-0x0000000000400000-0x0000000000D70000-memory.dmp	themida
behavioral2/memory/836-335-0x0000000000400000-0x0000000000D70000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
Key opened	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
Key opened	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Desktop\desktop.ini	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
File created	C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Documents\desktop.ini	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
File created	C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Downloads\desktop.ini	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
File created	C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Pictures\desktop.ini	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
File created	C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Desktop\desktop.ini	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
6	freegeoip.app
37	api.ipify.org
38	api.ipify.org
40	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2496	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe

C:\Users\Admin\AppData\Local\Temp\8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe
"C:\Users\Admin\AppData\Local\Temp\8bcfd81ccfc02af640a747e29cca4b8eacca82bf4961c808b6cbebe2619d0a55.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Accesses Microsoft Outlook profiles
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:836

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUM3NkYxMjEtMTQ3Mi00MERFLTkwRjktRjA2QkE5Q0Y0NDNFfSIgdXNlcmlkPSJ7ODk0QjFFNkItNkYwMS00NTkxLThDNzYtRUZDMDc2MzVFOUE2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Q0Y4RTcyRUMtNzY4Qy00QjBBLTkxQ0MtRDMwOEI3MDBFMTA4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI3IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDI5NDg1MjExIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\XTCUYTNQ\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Desktop\SuspendEnter.ini

Filesize
155KB

MD5
584e4011e8c7f0d81cafff4d89e610b4

SHA1
0c667da3230c03be106e9cca637e04350c615480

SHA256
a9d7304c123f22e69c3b26ffc03a631c8b1bb629ade528293811e53e4840396e

SHA512
7a8293409ed11277798d2579242faab68eeb317b7bb695f33faeb2749d19b9438ab26873d4dc364fb785c9b221a0bc8a5b522481a8140ae39337a69d5c5a0d35

Download Submit
C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Documents\ConnectRegister.pptx

Filesize
340KB

MD5
56c919e83900f06d61507f9c8154cc0d

SHA1
a6816254cc9b0498dbe1bec71a6292fc45de6966

SHA256
2df49cd1170b8126c05bf1e2257aaa8b7645fb445483c952b2465941fe8538d0

SHA512
a88059f9a25c74d8a14c35327e3dd6576b0e6258a00c8692706de57027ecc4c0f12f41930f6d3f63d838b05e075bd6702aead0805d91a29305342023ded01eba

Download Submit
C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Documents\CopySync.docx

Filesize
489KB

MD5
be525ed4a232491e50976e07cb2603c2

SHA1
efbfeb005fce7b2d5aa0dfdd4dd24d552bd44149

SHA256
472699af58f6022b4701e8bfc2da3ed8c9d02a13ea65a33c70c03d72381a8dc4

SHA512
b3f5040e041f813b3a50c6e5f6b50d6505beaf79572027797e27a94cacdc195b5c1f96f05dccd0372ba825e468b7f827c8f4fd7cc7f015c2a9a1937c7073e782

Download Submit
C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Documents\GrantMove.html

Filesize
202KB

MD5
10a98fc51b73a9600502939c96972560

SHA1
8f3091f17831cbfd05067bf3edc85e25f358219b

SHA256
ae9331645a50cc26ef6f6d68697491b7e58b8888b74cdad42455b3d1efcec5b2

SHA512
5b4ef0517584df20dbce87ad3e11fce723cee84b835eb0fa02c59ea19eeecbb5a3737f8a6c6adb280abbad2d1b9cc983aec810adb4edfa3406436c6fc96ad5a7

Download Submit
C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Documents\MountRestore.xlsx

Filesize
531KB

MD5
fc6ff44f7b96afdc2cb9710affb3288e

SHA1
d91ec1a4f88973ed50a1cdbb324c877d6f7e53ac

SHA256
38420bcc6f1f21b56d469d4181898d36514115f9d1ae6acd5a7abe12c88a3cd4

SHA512
afdad8faed0ea1b20c42ee6c7383f741397dec2a847aa29e0b53c80b1acf672a027f06d8bfddde344da223a18dce5fadf4c7d397bcb2d4e154856758f96260ba

Download Submit
C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Downloads\AssertRename.xlsx

Filesize
214KB

MD5
7f9a0b438c39db4f55568ff96efa66e3

SHA1
2b51c5e77690300f3cc16d5fce88e9a0003b5068

SHA256
f7d3c3187dc29c25e9ee326f07c276a76b176f57e6d2bbb7afd18e7c8621f2e0

SHA512
dc4b7ef196f5b2446062c352ea80dd1495d11db1e06af2253291a239f1ba29eb4b44929f1669bd88ca983c98c7b3e222d6df0b05067e6509e3e86780749a6f3e

Download Submit
C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Downloads\HideRestore.xlsx

Filesize
287KB

MD5
7137965948ae5fecf187ff89cd7e9bc2

SHA1
aea4991b4020215784ba847139bc97ce9471a0a6

SHA256
ee8454d1a1896045fae5a33ad487b1a758c93465e0e03817812c3f054bcd1850

SHA512
59118c257d56e0819005a18ccd183cdc96a1ed2f46d210c0e8ebbfcdc585b8ba2599eabad5990975e13bd039f46b98a4d01d3bd88bfafb2650d39af31134fc67

Download Submit
C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Downloads\MoveRequest.png

Filesize
539KB

MD5
eb25accf2973e863f27367d2dac8557b

SHA1
a3580d9d8427ea9f6d758e7b4c346bbe0b473732

SHA256
0deed242325b8ba03808cc712b85a05749c4c74ccf4d5f8ccb66207bad29d9eb

SHA512
5013931312305ce05892edbcd4ee6bbc361b97e291497212091057fe7f1b547dddc5256dd98f032a1ea6dfb77571983d0b96bfd9afa06bd286018c6af18af28c

Download Submit
C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Downloads\StepWatch.jpeg

Filesize
413KB

MD5
cd47c162f677894978a69497de15878b

SHA1
b85b906adcaa3569e0d9cdb78208a1b573e1dd0d

SHA256
db7cb60f97a74d9f670be5fed0173027c52fd238cd0c71f43d120856f55c7af9

SHA512
c28395413ca8e9d9ebbfd11c39834d43e6a6668231aec798b29a0bf0ad03756be415e53ea42851c58332837b3d0c1a2554b966ca6de149e5e03b54065f9a5d85

Download Submit
C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Pictures\ExitConfirm.jpeg

Filesize
459KB

MD5
f59c692373fcf2db167d2d8092838584

SHA1
67b8aee5f63b862341414cad97c40b4963da478a

SHA256
efe27bec13a5504ec16e35ad5b824384f5f01d88365cab7f7ae97358867af87e

SHA512
ce79e885f5a047acdb2a5db2b8b039e3792715f47bb3638c5e4106569be62d3135ab7e486319cfec77ae3e61788d5c075f4524b0672eed2007652d29e9669d71

Download Submit
C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Pictures\InstallRestart.jpg

Filesize
359KB

MD5
140922a5c705defb880c5fb20cc35b0b

SHA1
4cad047df2266f1f683fccea6fe288eac06f5c5d

SHA256
fc734a9bd6a89f92b4c901aa15d5915c221a5d08289037f25b702abe3f0c9301

SHA512
da9b4e30fb6db9631a7e0d6372309faa38789580104fe70787b6f3e8ad63dc4369bb2bd076a2d0f35fc5cd6f2a2612c1d7567e9f39811c5cc9712a752c7852c1

Download Submit
C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Pictures\RestoreSync.bmp

Filesize
215KB

MD5
cfe12b71f83f685ea8923aaa76182b04

SHA1
2488dda6a24f520aa767367d1baf6b7e2d8608d9

SHA256
e9b4a8012ef592056bddeb684c33ed1451183b0ec112e17b3372f65f0992cbaf

SHA512
87b78a261ff4e49c6bc93a20b972e1753a13b989bbec64f2325c5bdeca607a2ccedc5a8e0bf9d36aa7b6a5c7eeb4260400f31b4c194ed28810e1f63ec71a0666

Download Submit
C:\Users\Admin\AppData\Local\XTCUYTNQ\FileGrabber\Pictures\StartGet.jpg

Filesize
474KB

MD5
92f79d75288b1ae7962fadfb5baa2ca2

SHA1
307e7bcdcdd54a9fec812e42165151894376e84b

SHA256
05ce84dd245ab2bfee613e1e0bc0e4d99e75e3d52b8799f0d8fd859b651e736f

SHA512
4ad59e373bf7b12cda459e5fd656e97650c8fe7932a89c897361bd86def5ef54ece95801180b0c01beba6a371e49a589e0a9496b6dca538d5d3ee93569746c5c

Download Submit
C:\Users\Admin\AppData\Local\XTCUYTNQ\Process.txt

Filesize
4KB

MD5
6897c98af1b2f335d2be8de61f743fc5

SHA1
2395c4e4b528fe2102bc82e575e39c5dc25222b4

SHA256
b6c1f70c8e572af925207671913820e51780a567fc290483b0287904f93d8e05

SHA512
5ed2296ef951b58cecc2cb153f5b7c5e088678fef829f093111de34aa79f7b86d5235cc7b904ca0eee222e63f4e3415fd2371135113e76607a79e0a765a8d9b1

Download Submit
memory/836-10-0x0000000000400000-0x0000000000D70000-memory.dmp

Filesize
9.4MB

Download
memory/836-11-0x0000000000400000-0x0000000000D70000-memory.dmp

Filesize
9.4MB

Download
memory/836-63-0x0000000076E40000-0x0000000076E41000-memory.dmp

Filesize
4KB

Download
memory/836-132-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/836-144-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/836-143-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/836-177-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/836-51-0x0000000006D20000-0x0000000006D86000-memory.dmp

Filesize
408KB

Download
memory/836-48-0x00000000064B0000-0x0000000006542000-memory.dmp

Filesize
584KB

Download
memory/836-49-0x0000000006550000-0x0000000006AF4000-memory.dmp

Filesize
5.6MB

Download
memory/836-47-0x0000000000400000-0x0000000000D70000-memory.dmp

Filesize
9.4MB

Download
memory/836-111-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/836-1-0x0000000076E40000-0x0000000076E41000-memory.dmp

Filesize
4KB

Download
memory/836-8-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/836-3-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/836-7-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/836-4-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/836-5-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/836-6-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/836-0-0x0000000000400000-0x0000000000D70000-memory.dmp

Filesize
9.4MB

Download
memory/836-2-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/836-334-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/836-335-0x0000000000400000-0x0000000000D70000-memory.dmp

Filesize
9.4MB

Download