diamondfox | 4798591a79be1fe28b70af10883e655ee16ca90e858b0463154bccada7cb0fa4

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
17-11-2020 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

90KB
MD5

1d5b46ff3cd12fd31362557299d6f488
SHA1

42f5d828b03f5e4c03e9f935683b5d82e6e7dc26
SHA256

2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c
SHA512

4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Score

10^/10

diamondfox botnet discovery spyware stealer

Malware Config

Extracted

Family

diamondfox

https://www.datanalysis.club/ms/gate.php

https://www.datanalysis.site/ms/gate.php

https://www.datanalysis.space/ms/gate.php

Mutex

cBFxpht5aCf0jy4gnUs3JgtqCB2O2tWJ

xor.plain

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 25 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
behavioral1/memory/1160-26-0x0000000006380000-0x0000000006390000-memory.dmp	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe	diamondfox

Executes dropped EXE 5 IoCs

Processes:

atiedxx.exeatiedxx.exeatiedxx.exeatiedxx.exeatiedxx.exe

pid process

1040 atiedxx.exe
884 atiedxx.exe
472 atiedxx.exe
960 atiedxx.exe
1080 atiedxx.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk powershell.exe

pid	process
1040	atiedxx.exe
884	atiedxx.exe
472	atiedxx.exe
960	atiedxx.exe
1080	atiedxx.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk	powershell.exe

Loads dropped DLL 18 IoCs

Processes:

powershell.exeatiedxx.exepowershell.exeatiedxx.exeatiedxx.exeatiedxx.exeatiedxx.exe

pid	process
1160	powershell.exe
1160	powershell.exe
1040	atiedxx.exe
1040	atiedxx.exe
240	powershell.exe
1040	atiedxx.exe
884	atiedxx.exe
884	atiedxx.exe
1040	atiedxx.exe
472	atiedxx.exe
472	atiedxx.exe
1040	atiedxx.exe
960	atiedxx.exe
960	atiedxx.exe
1040	atiedxx.exe
1080	atiedxx.exe
1080	atiedxx.exe
1040	atiedxx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

atiedxx.exe

description	pid	process	target process
PID 1040 set thread context of 884	1040	atiedxx.exe	atiedxx.exe
PID 1040 set thread context of 472	1040	atiedxx.exe	atiedxx.exe
PID 1040 set thread context of 960	1040	atiedxx.exe	atiedxx.exe
PID 1040 set thread context of 1080	1040	atiedxx.exe	atiedxx.exe

Modifies data under HKEY_USERS 59 IoCs

Processes:

atiedxx.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	atiedxx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	atiedxx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = e08574fe98bcd601	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}	atiedxx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionReason = "1"	atiedxx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadNetworkName = "Network"	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	atiedxx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy = "1"	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	atiedxx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	atiedxx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	atiedxx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\32-e2-17-db-d2-77	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	atiedxx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = e08574fe98bcd601	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	atiedxx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	atiedxx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecision = "0"	atiedxx.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

atiedxx.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	atiedxx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	atiedxx.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1900 PING.EXE

pid	process
1900	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exePowershell.exeatiedxx.exeatiedxx.exe

pid	process
1160	powershell.exe
1160	powershell.exe
240	powershell.exe
240	powershell.exe
412	Powershell.exe
412	Powershell.exe
884	atiedxx.exe
884	atiedxx.exe
472	atiedxx.exe
472	atiedxx.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exePowershell.exeatiedxx.exeatiedxx.exe

description	pid	process
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	240	powershell.exe
Token: SeDebugPrivilege	412	Powershell.exe
Token: SeDebugPrivilege	884	atiedxx.exe
Token: SeCreateTokenPrivilege	884	atiedxx.exe
Token: SeDebugPrivilege	960	atiedxx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

setup.exeatiedxx.exe

pid process

836 setup.exe
1040 atiedxx.exe

pid	process
836	setup.exe
1040	atiedxx.exe

Suspicious use of WriteProcessMemory 101 IoCs

Processes:

setup.exepowershell.exeatiedxx.exeatiedxx.execmd.exe

description	pid	process	target process
PID 836 wrote to memory of 1160	836	setup.exe	powershell.exe
PID 836 wrote to memory of 1160	836	setup.exe	powershell.exe
PID 836 wrote to memory of 1160	836	setup.exe	powershell.exe
PID 836 wrote to memory of 1160	836	setup.exe	powershell.exe
PID 836 wrote to memory of 1160	836	setup.exe	powershell.exe
PID 836 wrote to memory of 1160	836	setup.exe	powershell.exe
PID 836 wrote to memory of 1160	836	setup.exe	powershell.exe
PID 1160 wrote to memory of 1040	1160	powershell.exe	atiedxx.exe
PID 1160 wrote to memory of 1040	1160	powershell.exe	atiedxx.exe
PID 1160 wrote to memory of 1040	1160	powershell.exe	atiedxx.exe
PID 1160 wrote to memory of 1040	1160	powershell.exe	atiedxx.exe
PID 1160 wrote to memory of 1040	1160	powershell.exe	atiedxx.exe
PID 1160 wrote to memory of 1040	1160	powershell.exe	atiedxx.exe
PID 1160 wrote to memory of 1040	1160	powershell.exe	atiedxx.exe
PID 1040 wrote to memory of 240	1040	atiedxx.exe	powershell.exe
PID 1040 wrote to memory of 240	1040	atiedxx.exe	powershell.exe
PID 1040 wrote to memory of 240	1040	atiedxx.exe	powershell.exe
PID 1040 wrote to memory of 240	1040	atiedxx.exe	powershell.exe
PID 1040 wrote to memory of 240	1040	atiedxx.exe	powershell.exe
PID 1040 wrote to memory of 240	1040	atiedxx.exe	powershell.exe
PID 1040 wrote to memory of 240	1040	atiedxx.exe	powershell.exe
PID 1040 wrote to memory of 412	1040	atiedxx.exe	Powershell.exe
PID 1040 wrote to memory of 412	1040	atiedxx.exe	Powershell.exe
PID 1040 wrote to memory of 412	1040	atiedxx.exe	Powershell.exe
PID 1040 wrote to memory of 412	1040	atiedxx.exe	Powershell.exe
PID 1040 wrote to memory of 412	1040	atiedxx.exe	Powershell.exe
PID 1040 wrote to memory of 412	1040	atiedxx.exe	Powershell.exe
PID 1040 wrote to memory of 412	1040	atiedxx.exe	Powershell.exe
PID 1040 wrote to memory of 884	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 884	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 884	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 884	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 884	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 884	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 884	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 884	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 884	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 884	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 884	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 884	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 472	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 472	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 472	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 472	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 472	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 472	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 472	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 472	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 472	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 472	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 472	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 472	1040	atiedxx.exe	atiedxx.exe
PID 1040 wrote to memory of 472	1040	atiedxx.exe	atiedxx.exe
PID 884 wrote to memory of 1576	884	atiedxx.exe	cmd.exe
PID 884 wrote to memory of 1576	884	atiedxx.exe	cmd.exe
PID 884 wrote to memory of 1576	884	atiedxx.exe	cmd.exe
PID 884 wrote to memory of 1576	884	atiedxx.exe	cmd.exe
PID 884 wrote to memory of 1576	884	atiedxx.exe	cmd.exe
PID 884 wrote to memory of 1576	884	atiedxx.exe	cmd.exe
PID 884 wrote to memory of 1576	884	atiedxx.exe	cmd.exe
PID 1576 wrote to memory of 1900	1576	cmd.exe	PING.EXE
PID 1576 wrote to memory of 1900	1576	cmd.exe	PING.EXE
PID 1576 wrote to memory of 1900	1576	cmd.exe	PING.EXE
PID 1576 wrote to memory of 1900	1576	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\setup.exe' -Destination 'C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe'
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
"C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe';$shortcut.Save()
4⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell Set-MpPreference -DisableRealtimeMonitoring 1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1900

C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
/scomma C:\Users\Admin\AppData\Local\tiedaxx\1.log
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:472

C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
/scomma C:\Users\Admin\AppData\Local\tiedaxx\2.log
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
/scomma C:\Users\Admin\AppData\Local\tiedaxx\3.log
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080

C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
/scomma C:\Users\Admin\AppData\Local\tiedaxx\4.log
4⤵
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aacd219d-c7ba-43ff-a67c-9ddc2f632d63
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
9d0422db1c12ca1c400e44bade293010

SHA1
ec185a8ff92502931af68c3b7585b23493e996ca

SHA256
5116b254daaf2e0fcb02e47707855597b59fe92fe041023d349f69f5723ab2bf

SHA512
a2894f878275332cfdc35c0fd68d9c392cd06e7b6bf57eb437d643755653ce6add58f6dd93aa2be71b1a7596b059a60f3c8f6de4bbd6efcc45233e64f38d86cd

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\1.log
MD5
4f7d90f045ae07792fb8d76bce925854

SHA1
c39b2866368f2c88c1865aa5577792bd2fb8bfe5

SHA256
df74b997137fec63589828cafa9df9bfe272b330ffb8743fa4db79096a0fdc34

SHA512
4ce48987acf465b7064d0162449eaf929b1e80dc760fe2da72e2841754a34536be5b2c17ade17d58e76c31bc9fdd6540820191395b9399287aabf4007274ae71

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
C:\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
49d2b77c96d595adb433eae81478f39a

SHA1
2b322564112037bcdba3b519110f9c42a59e89e6

SHA256
b4d1d4c1aaaa7c380dc8a21cc2d0f07edb4d3abb901eee58cdfadc024c62f738

SHA512
a9f36606c2a09b0287b2610ac79ea996b0733a86a1c404682eb2cc2492f8287a15cdd6ee94c00d42124baf6aa8c0dbbc225855b6ba75f8cd846c6e11ee2ba2ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
30c645dc7c6c4ef8d6fe5b5ad329e824

SHA1
14b074cafc6fd05acfdc89d5827b80a23df7fc97

SHA256
e1237673ee356f6f86eb7375f3b2c8613200474b097a31ad3032fcd14e555c0c

SHA512
6d9e346a85254baa29573e66a93c5e4a063bd18d7c5faae471478776c9b8b0a62a37afe95081e3c296324e9f29854eee8bce54d09efae31de2047e0f267662e5

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
\Users\Admin\AppData\Local\tiedaxx\atiedxx.exe
MD5
1d5b46ff3cd12fd31362557299d6f488

SHA1
42f5d828b03f5e4c03e9f935683b5d82e6e7dc26

SHA256
2f134d1467c3765898a1befc311b86414f8df96d307a6f05b23eebbb8866a69c

SHA512
4dd2071b369bd150da53446313fff30b08054b8724a02444c400db2f0b14062c51a5aff2390b1845cc87b629ffc77ecc5e72877f77f824553b6f68a7b39a9d23

Download Submit
memory/240-37-0x0000000000000000-mapping.dmp

Download
memory/240-43-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/240-53-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/240-41-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/240-42-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/240-39-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/240-40-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/412-63-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/412-61-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/412-60-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/412-66-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/412-78-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/412-79-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/412-55-0x0000000000000000-mapping.dmp

Download
memory/412-59-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/412-58-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/412-57-0x00000000732C0000-0x00000000739AE000-memory.dmp

Filesize
6.9MB

Download
memory/472-88-0x0000000000447D8A-mapping.dmp

Download
memory/472-87-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/472-90-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/884-80-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/884-81-0x0000000000415D43-mapping.dmp

Download
memory/960-97-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/960-100-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/960-98-0x0000000000413E10-mapping.dmp

Download
memory/1040-29-0x0000000000000000-mapping.dmp

Download
memory/1080-104-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1080-107-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1080-105-0x000000000041211A-mapping.dmp

Download
memory/1160-26-0x0000000006380000-0x0000000006390000-memory.dmp

Filesize
64KB

Download
memory/1160-4-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1160-2-0x0000000000000000-mapping.dmp

Download
memory/1160-16-0x00000000062F0000-0x00000000062F1000-memory.dmp

Filesize
4KB

Download
memory/1160-15-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/1160-10-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/1160-7-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/1160-23-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/1160-24-0x00000000063F0000-0x00000000063F1000-memory.dmp

Filesize
4KB

Download
memory/1160-3-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/1160-6-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1160-5-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1576-93-0x0000000000000000-mapping.dmp

Download
memory/1592-86-0x000007FEF7C70000-0x000007FEF7EEA000-memory.dmp

Filesize
2.5MB

Download
memory/1900-94-0x0000000000000000-mapping.dmp

Download