danabot | 46c3c96de71f691a7247112fe80d61599ab91e8ead7db41cfab9af64357d10cc

Analysis

max time kernel
128s
max time network
149s
platform
windows7_x64
resource
win7v20210410
submitted
10-06-2021 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

943b992da5eff312e494f02e270feccf.exe
Size

1.3MB
MD5

943b992da5eff312e494f02e270feccf
SHA1

5078fdbac8b7af3e3b44eb6fb45be6eb447d870a
SHA256

46c3c96de71f691a7247112fe80d61599ab91e8ead7db41cfab9af64357d10cc
SHA512

b7dcfc920f9bca227b01a30679936052bfa082625e7ba82883addd896d09411b67a0477e99dc2e8b0838137d8fa9584ae1d6aa183cc8ebfbdbe7ec2f471475e4

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

192.210.198.12:443

37.220.31.50:443

184.95.51.183:443

184.95.51.175:443

Attributes

embedded_hash
410EB249B3A3D8613B29638D583F7193

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 6 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

18 1364 RUNDLL32.EXE
21 936 WScript.exe
23 936 WScript.exe
25 936 WScript.exe
27 936 WScript.exe
29 936 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

vpn.exe4.exeRitornata.exe.comRitornata.exe.comSmartClock.exenumxbpn.exe

pid process

2012 vpn.exe
1140 4.exe
1280 Ritornata.exe.com
1440 Ritornata.exe.com
1720 SmartClock.exe
1668 numxbpn.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe

flow	pid	process
18	1364	RUNDLL32.EXE
21	936	WScript.exe
23	936	WScript.exe
25	936	WScript.exe
27	936	WScript.exe
29	936	WScript.exe

pid	process
2012	vpn.exe
1140	4.exe
1280	Ritornata.exe.com
1440	Ritornata.exe.com
1720	SmartClock.exe
1668	numxbpn.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

Loads dropped DLL 29 IoCs

Processes:

943b992da5eff312e494f02e270feccf.exevpn.exe4.execmd.exeRitornata.exe.comSmartClock.exeRitornata.exe.comnumxbpn.exerundll32.exeRUNDLL32.EXE

pid	process
1748	943b992da5eff312e494f02e270feccf.exe
1748	943b992da5eff312e494f02e270feccf.exe
1748	943b992da5eff312e494f02e270feccf.exe
1748	943b992da5eff312e494f02e270feccf.exe
2012	vpn.exe
2012	vpn.exe
1140	4.exe
1140	4.exe
1140	4.exe
1128	cmd.exe
1280	Ritornata.exe.com
1140	4.exe
1140	4.exe
1140	4.exe
1720	SmartClock.exe
1720	SmartClock.exe
1720	SmartClock.exe
1440	Ritornata.exe.com
1440	Ritornata.exe.com
1668	numxbpn.exe
1668	numxbpn.exe
1948	rundll32.exe
1948	rundll32.exe
1948	rundll32.exe
1948	rundll32.exe
1364	RUNDLL32.EXE
1364	RUNDLL32.EXE
1364	RUNDLL32.EXE
1364	RUNDLL32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	RUNDLL32.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com

flow	ioc
7	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

943b992da5eff312e494f02e270feccf.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	943b992da5eff312e494f02e270feccf.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	943b992da5eff312e494f02e270feccf.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	943b992da5eff312e494f02e270feccf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ritornata.exe.comRUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ritornata.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ritornata.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exeRitornata.exe.com

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Ritornata.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Ritornata.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1308 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1720 SmartClock.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid process

1396 powershell.exe
1396 powershell.exe
1364 RUNDLL32.EXE
1364 RUNDLL32.EXE
1980 powershell.exe
1980 powershell.exe

pid	process
1308	PING.EXE

pid	process
1720	SmartClock.exe

pid	process
1396	powershell.exe
1396	powershell.exe
1364	RUNDLL32.EXE
1364	RUNDLL32.EXE
1980	powershell.exe
1980	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1948	rundll32.exe
Token: SeDebugPrivilege	1364	RUNDLL32.EXE
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

vpn.exeRUNDLL32.EXE

pid process

2012 vpn.exe
1364 RUNDLL32.EXE

pid	process
2012	vpn.exe
1364	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

943b992da5eff312e494f02e270feccf.exevpn.execmd.execmd.exeRitornata.exe.com4.exe

description	pid	process	target process
PID 1748 wrote to memory of 2012	1748	943b992da5eff312e494f02e270feccf.exe	vpn.exe
PID 1748 wrote to memory of 2012	1748	943b992da5eff312e494f02e270feccf.exe	vpn.exe
PID 1748 wrote to memory of 2012	1748	943b992da5eff312e494f02e270feccf.exe	vpn.exe
PID 1748 wrote to memory of 2012	1748	943b992da5eff312e494f02e270feccf.exe	vpn.exe
PID 1748 wrote to memory of 2012	1748	943b992da5eff312e494f02e270feccf.exe	vpn.exe
PID 1748 wrote to memory of 2012	1748	943b992da5eff312e494f02e270feccf.exe	vpn.exe
PID 1748 wrote to memory of 2012	1748	943b992da5eff312e494f02e270feccf.exe	vpn.exe
PID 1748 wrote to memory of 1140	1748	943b992da5eff312e494f02e270feccf.exe	4.exe
PID 1748 wrote to memory of 1140	1748	943b992da5eff312e494f02e270feccf.exe	4.exe
PID 1748 wrote to memory of 1140	1748	943b992da5eff312e494f02e270feccf.exe	4.exe
PID 1748 wrote to memory of 1140	1748	943b992da5eff312e494f02e270feccf.exe	4.exe
PID 1748 wrote to memory of 1140	1748	943b992da5eff312e494f02e270feccf.exe	4.exe
PID 1748 wrote to memory of 1140	1748	943b992da5eff312e494f02e270feccf.exe	4.exe
PID 1748 wrote to memory of 1140	1748	943b992da5eff312e494f02e270feccf.exe	4.exe
PID 2012 wrote to memory of 1704	2012	vpn.exe	dllhost.exe
PID 2012 wrote to memory of 1704	2012	vpn.exe	dllhost.exe
PID 2012 wrote to memory of 1704	2012	vpn.exe	dllhost.exe
PID 2012 wrote to memory of 1704	2012	vpn.exe	dllhost.exe
PID 2012 wrote to memory of 1704	2012	vpn.exe	dllhost.exe
PID 2012 wrote to memory of 1704	2012	vpn.exe	dllhost.exe
PID 2012 wrote to memory of 1704	2012	vpn.exe	dllhost.exe
PID 2012 wrote to memory of 1856	2012	vpn.exe	cmd.exe
PID 2012 wrote to memory of 1856	2012	vpn.exe	cmd.exe
PID 2012 wrote to memory of 1856	2012	vpn.exe	cmd.exe
PID 2012 wrote to memory of 1856	2012	vpn.exe	cmd.exe
PID 2012 wrote to memory of 1856	2012	vpn.exe	cmd.exe
PID 2012 wrote to memory of 1856	2012	vpn.exe	cmd.exe
PID 2012 wrote to memory of 1856	2012	vpn.exe	cmd.exe
PID 1856 wrote to memory of 1128	1856	cmd.exe	cmd.exe
PID 1856 wrote to memory of 1128	1856	cmd.exe	cmd.exe
PID 1856 wrote to memory of 1128	1856	cmd.exe	cmd.exe
PID 1856 wrote to memory of 1128	1856	cmd.exe	cmd.exe
PID 1856 wrote to memory of 1128	1856	cmd.exe	cmd.exe
PID 1856 wrote to memory of 1128	1856	cmd.exe	cmd.exe
PID 1856 wrote to memory of 1128	1856	cmd.exe	cmd.exe
PID 1128 wrote to memory of 1296	1128	cmd.exe	findstr.exe
PID 1128 wrote to memory of 1296	1128	cmd.exe	findstr.exe
PID 1128 wrote to memory of 1296	1128	cmd.exe	findstr.exe
PID 1128 wrote to memory of 1296	1128	cmd.exe	findstr.exe
PID 1128 wrote to memory of 1296	1128	cmd.exe	findstr.exe
PID 1128 wrote to memory of 1296	1128	cmd.exe	findstr.exe
PID 1128 wrote to memory of 1296	1128	cmd.exe	findstr.exe
PID 1128 wrote to memory of 1280	1128	cmd.exe	Ritornata.exe.com
PID 1128 wrote to memory of 1280	1128	cmd.exe	Ritornata.exe.com
PID 1128 wrote to memory of 1280	1128	cmd.exe	Ritornata.exe.com
PID 1128 wrote to memory of 1280	1128	cmd.exe	Ritornata.exe.com
PID 1128 wrote to memory of 1280	1128	cmd.exe	Ritornata.exe.com
PID 1128 wrote to memory of 1280	1128	cmd.exe	Ritornata.exe.com
PID 1128 wrote to memory of 1280	1128	cmd.exe	Ritornata.exe.com
PID 1128 wrote to memory of 1308	1128	cmd.exe	PING.EXE
PID 1128 wrote to memory of 1308	1128	cmd.exe	PING.EXE
PID 1128 wrote to memory of 1308	1128	cmd.exe	PING.EXE
PID 1128 wrote to memory of 1308	1128	cmd.exe	PING.EXE
PID 1128 wrote to memory of 1308	1128	cmd.exe	PING.EXE
PID 1128 wrote to memory of 1308	1128	cmd.exe	PING.EXE
PID 1128 wrote to memory of 1308	1128	cmd.exe	PING.EXE
PID 1280 wrote to memory of 1440	1280	Ritornata.exe.com	Ritornata.exe.com
PID 1280 wrote to memory of 1440	1280	Ritornata.exe.com	Ritornata.exe.com
PID 1280 wrote to memory of 1440	1280	Ritornata.exe.com	Ritornata.exe.com
PID 1280 wrote to memory of 1440	1280	Ritornata.exe.com	Ritornata.exe.com
PID 1280 wrote to memory of 1440	1280	Ritornata.exe.com	Ritornata.exe.com
PID 1280 wrote to memory of 1440	1280	Ritornata.exe.com	Ritornata.exe.com
PID 1280 wrote to memory of 1440	1280	Ritornata.exe.com	Ritornata.exe.com
PID 1140 wrote to memory of 1720	1140	4.exe	SmartClock.exe

C:\Users\Admin\AppData\Local\Temp\943b992da5eff312e494f02e270feccf.exe
"C:\Users\Admin\AppData\Local\Temp\943b992da5eff312e494f02e270feccf.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
3⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Questa.mui
3⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^bkKukanvvIaviummCuKudmQWXJRADyBlRAsoRwEThgwuiCesPIojDwzYxNpBAXTdiiEGPdHACRTwbKPxGALUXfHPizOtSezfcKZZYcCnqHJMosAJYPUqkYzRAOnvCDI$" Tocchi.mui
5⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornata.exe.com
Ritornata.exe.com h
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornata.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornata.exe.com h
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
PID:1440

C:\Users\Admin\AppData\Local\Temp\numxbpn.exe
"C:\Users\Admin\AppData\Local\Temp\numxbpn.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\NUMXBP~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\numxbpn.exe
8⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\NUMXBP~1.DLL,Z1oN
9⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5B98.tmp.ps1"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp711D.tmp.ps1"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
11⤵
PID:1504

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
10⤵
PID:2040

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
10⤵
PID:1824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fxkbrusbrjsg.vbs"
7⤵
PID:1612

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ljckjyvbhkfa.vbs"
7⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:936

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
5⤵
- Runs ping.exe
PID:1308

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
c8b677ef62b837047958e696a6edff8b

SHA1
af10e47cceb0a1049bdbbf432a1d567c6428ae4e

SHA256
f67c48db03ad6c0cc57b5755c1cc495238c53bc381155be361687415634bb66c

SHA512
c257f785f693cbb5319fac724894d4147e7b916585376b9a966b375a29942ae2278c1ba84a50fe0fdaf013404b3b4a7fe785d2078a0744a78e2c80a23e44af4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248ba
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295b
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eeb
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
805069b6b122c239408d0a6f6f295637

SHA1
6482d13f10dd4880bf13c2ebef69fe34e105bd48

SHA256
de2c34a9487868e2aafa5ceb0eb4f8ccfb292c621c95e7a5076d01613f07a48c

SHA512
76057b67cc24629754f47d4efacb103d4476f4eca11cc1d98aaf06ddbd490e61715bab7704c2bec6adb98471d4f1447956c05ed68a61cabf7be33ae3f330c959

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Quando.mui
MD5
2d6336f72a3c1157257324be430e78f5

SHA1
24b49a1a4c2ed11d9736439ad8886dcba0c33c6a

SHA256
a0826bcbf9adea88158640146cb2cffcf773e32824f4aa3a73d867a4bd532e49

SHA512
fab9b97bd5a652b72318e7cd4c6ae952491bde96ca5c859877514f4ef3ee4716e57701d908400107600391ee3e55a586f66e3172a1476e05f58e5e3cd649eb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Questa.mui
MD5
b62c547f5f658d070f3ddc82b0fb3868

SHA1
983dfe0c7c7914875af6158632ef2dc84f21bff2

SHA256
e51d5e55f67529ca949ce58a61afcdc5d92188cafece914a1b6a87e49215e661

SHA512
6be41b35fc156befa6f947d59a51161a7cd6761e4fa26bdb8c68705d439b5a6f5bf1dd0881c4a2fa3f8acfaa707bddd02455e21a9281d3a1807a62bb8a12aac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ricordarmi.mui
MD5
73bac4ffe318c194c0cae6e4fe10b88d

SHA1
0084fc54977f07c35aaaa6d3c228f244bdcd0d8b

SHA256
99a524a1e56311da3708655e1199e845c0ee57798773005aed6818fb1d1e5195

SHA512
b5ceb472a9b5cfa92d9e489126feef8962e57d485fa0d3a9f56d2b20dad57f6da097706b68104854d35ad1e7ed9861a6309ed69a5bf6c57abcc6b11bc6a96ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornata.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornata.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornata.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tocchi.mui
MD5
1b1eca6ed02020892df62e9d79c2c2cd

SHA1
be9aace354a0ab53fe1a187e8b2ccda2c524e336

SHA256
eb5d411bf93fbce1354a8270cfea181b7db1e8e7792fa8b3297234e5e8be542e

SHA512
fa9fb2db07c8360f1f220a055ad476be5e9ece9bb308ea09dc42d09f06ed2c74ba4fd20746af29dfec94fcc404f78523c235b913a6c131cf5789c4e9e77f176e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\h
MD5
73bac4ffe318c194c0cae6e4fe10b88d

SHA1
0084fc54977f07c35aaaa6d3c228f244bdcd0d8b

SHA256
99a524a1e56311da3708655e1199e845c0ee57798773005aed6818fb1d1e5195

SHA512
b5ceb472a9b5cfa92d9e489126feef8962e57d485fa0d3a9f56d2b20dad57f6da097706b68104854d35ad1e7ed9861a6309ed69a5bf6c57abcc6b11bc6a96ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\C05.tmp
MD5
149c2823b7eadbfb0a82388a2ab9494f

SHA1
415fe979ce5fd0064d2557a48745a3ed1a3fbf9c

SHA256
06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869

SHA512
f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUMXBP~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
9ea7c37369fa79acd572676e116da600

SHA1
b28496e01ac8286abeb9ff1763202336547c4295

SHA256
d84d5f46aff7558ecac285457ab90ec833da78af47529e6a2aa41903649639dd

SHA512
5a41a7f773ed15a81b8d6e4245230bf3f4fd1cd8472ee27c6f35f5c04875b59bdd3dbd0191fb9729d6dd0d8012c78d00a5dd0f7f0266888eea6df71f9f043f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
9ea7c37369fa79acd572676e116da600

SHA1
b28496e01ac8286abeb9ff1763202336547c4295

SHA256
d84d5f46aff7558ecac285457ab90ec833da78af47529e6a2aa41903649639dd

SHA512
5a41a7f773ed15a81b8d6e4245230bf3f4fd1cd8472ee27c6f35f5c04875b59bdd3dbd0191fb9729d6dd0d8012c78d00a5dd0f7f0266888eea6df71f9f043f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxkbrusbrjsg.vbs
MD5
544f36dc174d1c4ab713561d1da8ef03

SHA1
616f080752a7461ad9d700e6826fdd73cc35218c

SHA256
e0be170d672a17dec23e3cb2bd5dcdfd1be167e36dc3278a1013c78fa94f9bc0

SHA512
b298423f33ea78b21aaf07855bd19355b67bd19e3abf2eb45794fc8e094f703322d5261c67bc3ac2566bdff2ee6df3d4800f81111d507a3f6fc5b3ffaaad79b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljckjyvbhkfa.vbs
MD5
afa0edffd1e12cd12b3cf96a58f3b48d

SHA1
4f95ed663c07df230ef0d93418444fe46b699ca5

SHA256
5488a93bf615a10b93d7c9ec5046e0030fb6e8ba635c6272e1e354b0d0c6da30

SHA512
ac74c46f42ae11f7b76af4557008c15d5bd682426a10bad404dc1502c7241e7d4fc64a6abeebbf30c912df3d54712d2cb8719bf20caf5328d54ccb570e130b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\numxbpn.exe
MD5
9e3f056b85f50edf1e2f32b229b12efc

SHA1
d52aa38d6e9426a4078552e8df57349e2a165736

SHA256
5bcdd2819f7cff4f700eb8265fb2c072f808e06b683af113013dbb50e56bb19d

SHA512
17b871aa829321e90959dacc3db35a39c49fbd7c33fab1e1442bb453245cb09cc7942d5d9758e467d318b56aa2642c928b5ab381f495d22036592401030aac87

Download Submit
C:\Users\Admin\AppData\Local\Temp\numxbpn.exe
MD5
9e3f056b85f50edf1e2f32b229b12efc

SHA1
d52aa38d6e9426a4078552e8df57349e2a165736

SHA256
5bcdd2819f7cff4f700eb8265fb2c072f808e06b683af113013dbb50e56bb19d

SHA512
17b871aa829321e90959dacc3db35a39c49fbd7c33fab1e1442bb453245cb09cc7942d5d9758e467d318b56aa2642c928b5ab381f495d22036592401030aac87

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5B98.tmp.ps1
MD5
0994f00250e518ce1b44e55385cb0641

SHA1
d9c7ad0f651161922543d631bc53f786542272d2

SHA256
b56d46f6488c3d013b423fe3c07b3cbf909b7ea55c807b42e59559c984a66449

SHA512
7a6e6aa8b4cb49f470258df21e1e3fb3dfd4e1dcd5bf9e1842448f09da11e115776c9947df9632ee7c1010554968c15eed0c6fd2108d60cb26a1125490060fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp711D.tmp.ps1
MD5
9fff63f3c680e2d8caa9038c5d68f92a

SHA1
319b7e076f630015979399b2af33a5038f6a1333

SHA256
e436b2662187e95dc882b079c4a5b12c7088f0dfbc5ed9e9dc4415b88bc1dfa6

SHA512
c62c02fe5fbfc21931c6979e26017b852afdb27caae97258fc4a95388a054b502b5112f5dcbc4e9e3ddee454f56063752ae2705bad96d38c9863c8fcbae4ae64

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp711E.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
691d3b363315d29d80a963406deffd9e

SHA1
9d9cfc1976e17ac64339543d6b4eddfb7b0f45e8

SHA256
a61d94569d842264611fc5269489c5fb4f5f07c2a7a9c5efea61a8f70a13cf9d

SHA512
69b16ca3390792f85a23a8a96f5fbaeec50c8e12c7ab3a21bae2952ceac34ba849cb20d7702d0154e3d67090e375a8bf5a6f0879999f1f8ecc14eb0710cb6de1

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornata.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornata.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\NUMXBP~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\NUMXBP~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\NUMXBP~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\NUMXBP~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\NUMXBP~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\NUMXBP~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\NUMXBP~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\NUMXBP~1.DLL
MD5
d737e87a8c985246adb399d0a8bf9b3b

SHA1
2ed4f18c905108e45535ea0e8fa7cb2187675f87

SHA256
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7

SHA512
9257b42d3b4ded392582d72107692d212d46252f218754149882c8faa65aae06881eee8be291f96da43f88f120878faeba23fa3c98f9cf99c9392f702f1a949b

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
9ea7c37369fa79acd572676e116da600

SHA1
b28496e01ac8286abeb9ff1763202336547c4295

SHA256
d84d5f46aff7558ecac285457ab90ec833da78af47529e6a2aa41903649639dd

SHA512
5a41a7f773ed15a81b8d6e4245230bf3f4fd1cd8472ee27c6f35f5c04875b59bdd3dbd0191fb9729d6dd0d8012c78d00a5dd0f7f0266888eea6df71f9f043f59

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
9ea7c37369fa79acd572676e116da600

SHA1
b28496e01ac8286abeb9ff1763202336547c4295

SHA256
d84d5f46aff7558ecac285457ab90ec833da78af47529e6a2aa41903649639dd

SHA512
5a41a7f773ed15a81b8d6e4245230bf3f4fd1cd8472ee27c6f35f5c04875b59bdd3dbd0191fb9729d6dd0d8012c78d00a5dd0f7f0266888eea6df71f9f043f59

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
9ea7c37369fa79acd572676e116da600

SHA1
b28496e01ac8286abeb9ff1763202336547c4295

SHA256
d84d5f46aff7558ecac285457ab90ec833da78af47529e6a2aa41903649639dd

SHA512
5a41a7f773ed15a81b8d6e4245230bf3f4fd1cd8472ee27c6f35f5c04875b59bdd3dbd0191fb9729d6dd0d8012c78d00a5dd0f7f0266888eea6df71f9f043f59

Download Submit
\Users\Admin\AppData\Local\Temp\nsiD99.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\numxbpn.exe
MD5
9e3f056b85f50edf1e2f32b229b12efc

SHA1
d52aa38d6e9426a4078552e8df57349e2a165736

SHA256
5bcdd2819f7cff4f700eb8265fb2c072f808e06b683af113013dbb50e56bb19d

SHA512
17b871aa829321e90959dacc3db35a39c49fbd7c33fab1e1442bb453245cb09cc7942d5d9758e467d318b56aa2642c928b5ab381f495d22036592401030aac87

Download Submit
\Users\Admin\AppData\Local\Temp\numxbpn.exe
MD5
9e3f056b85f50edf1e2f32b229b12efc

SHA1
d52aa38d6e9426a4078552e8df57349e2a165736

SHA256
5bcdd2819f7cff4f700eb8265fb2c072f808e06b683af113013dbb50e56bb19d

SHA512
17b871aa829321e90959dacc3db35a39c49fbd7c33fab1e1442bb453245cb09cc7942d5d9758e467d318b56aa2642c928b5ab381f495d22036592401030aac87

Download Submit
\Users\Admin\AppData\Local\Temp\numxbpn.exe
MD5
9e3f056b85f50edf1e2f32b229b12efc

SHA1
d52aa38d6e9426a4078552e8df57349e2a165736

SHA256
5bcdd2819f7cff4f700eb8265fb2c072f808e06b683af113013dbb50e56bb19d

SHA512
17b871aa829321e90959dacc3db35a39c49fbd7c33fab1e1442bb453245cb09cc7942d5d9758e467d318b56aa2642c928b5ab381f495d22036592401030aac87

Download Submit
\Users\Admin\AppData\Local\Temp\numxbpn.exe
MD5
9e3f056b85f50edf1e2f32b229b12efc

SHA1
d52aa38d6e9426a4078552e8df57349e2a165736

SHA256
5bcdd2819f7cff4f700eb8265fb2c072f808e06b683af113013dbb50e56bb19d

SHA512
17b871aa829321e90959dacc3db35a39c49fbd7c33fab1e1442bb453245cb09cc7942d5d9758e467d318b56aa2642c928b5ab381f495d22036592401030aac87

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
1196fa5b501c67f2319c16a0a15e75fd

SHA1
d1855710ea4392fa0f62d315847e7c11dcb55de6

SHA256
27e5e58a1c8e940b46839a6c89cf5b3437dd31f499f473d04da034b46763b945

SHA512
a3ffb7bd057629e7b187b978b95c36916f38ceb44fd1381c5ca2a26677d1f4cbc8859e03ade88b6b1bfa42e132ee7ee0010af819f9bfbc200218252031d2b675

Download Submit
memory/936-152-0x0000000000000000-mapping.dmp

Download
memory/1128-83-0x0000000000000000-mapping.dmp

Download
memory/1140-103-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1140-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1140-67-0x0000000000000000-mapping.dmp

Download
memory/1280-90-0x0000000000000000-mapping.dmp

Download
memory/1296-85-0x0000000000000000-mapping.dmp

Download
memory/1308-92-0x0000000000000000-mapping.dmp

Download
memory/1364-149-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/1364-140-0x0000000000000000-mapping.dmp

Download
memory/1364-151-0x0000000002B71000-0x00000000031D0000-memory.dmp

Filesize
6.4MB

Download
memory/1396-162-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/1396-163-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/1396-182-0x0000000006760000-0x0000000006761000-memory.dmp

Filesize
4KB

Download
memory/1396-181-0x0000000006730000-0x0000000006731000-memory.dmp

Filesize
4KB

Download
memory/1396-174-0x0000000006450000-0x0000000006451000-memory.dmp

Filesize
4KB

Download
memory/1396-173-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1396-172-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/1396-156-0x0000000000000000-mapping.dmp

Download
memory/1396-158-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/1396-159-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/1396-161-0x0000000004B22000-0x0000000004B23000-memory.dmp

Filesize
4KB

Download
memory/1396-160-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/1396-167-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1440-116-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1440-98-0x0000000000000000-mapping.dmp

Download
memory/1504-203-0x0000000000000000-mapping.dmp

Download
memory/1612-125-0x0000000000000000-mapping.dmp

Download
memory/1668-128-0x0000000002C30000-0x0000000003337000-memory.dmp

Filesize
7.0MB

Download
memory/1668-130-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1668-119-0x0000000000000000-mapping.dmp

Download
memory/1668-129-0x0000000000400000-0x0000000000B13000-memory.dmp

Filesize
7.1MB

Download
memory/1704-78-0x0000000000000000-mapping.dmp

Download
memory/1720-107-0x0000000000000000-mapping.dmp

Download
memory/1720-115-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1720-114-0x0000000000230000-0x0000000000283000-memory.dmp

Filesize
332KB

Download
memory/1748-59-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1824-208-0x0000000000000000-mapping.dmp

Download
memory/1856-80-0x0000000000000000-mapping.dmp

Download
memory/1948-147-0x00000000028A1000-0x0000000002F00000-memory.dmp

Filesize
6.4MB

Download
memory/1948-139-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

Filesize
4KB

Download
memory/1948-138-0x00000000022D0000-0x0000000002895000-memory.dmp

Filesize
5.8MB

Download
memory/1948-148-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1948-131-0x0000000000000000-mapping.dmp

Download
memory/1980-183-0x0000000000000000-mapping.dmp

Download
memory/1980-191-0x0000000004AA2000-0x0000000004AA3000-memory.dmp

Filesize
4KB

Download
memory/1980-190-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/1980-189-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/1980-188-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/1980-202-0x00000000063F0000-0x00000000063F1000-memory.dmp

Filesize
4KB

Download
memory/1980-187-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/1980-186-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2012-77-0x00000000741E1000-0x00000000741E3000-memory.dmp

Filesize
8KB

Download
memory/2012-62-0x0000000000000000-mapping.dmp

Download
memory/2040-206-0x0000000000000000-mapping.dmp

Download