91d48cd8799643b9e70cc8d7f1abcab8a8a8377090d03623d28d8222c76b0d58

Analysis

max time kernel
1212s
max time network
1211s
platform
windows10_x64
resource
win10-de-20210920
submitted
21-10-2021 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tornado.exe
Size

331.0MB
MD5

2acf755a8825894b837989ce1ae3db1d
SHA1

17d5590e64a1df1470e83f79eb935d78bc218c2d
SHA256

876dbe0fdf3f4ec70bd1985bf7c6f661b1105efd591407a6dd7ca7506bc61adf
SHA512

f5ca9da28f33097e92714f1e329d62fa8b98afe35bdaaf9e4941ad8f46c9350df74117b4712abc83c7bf44d6a1cb357b44bfb426d7ab0eeb88b3c813e99eef4b

Score

10^/10

discovery persistence spyware stealer suricata

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata

Executes dropped EXE 8 IoCs

Processes:

tmp7367.tmp.exeNascondere.exe.comNascondere.exe.comRegAsm.exetmp7367.tmp.exeNascondere.exe.comNascondere.exe.comRegAsm.exe

pid	process
4036	tmp7367.tmp.exe
4292	Nascondere.exe.com
3840	Nascondere.exe.com
3820	RegAsm.exe
4868	tmp7367.tmp.exe
1904	Nascondere.exe.com
3176	Nascondere.exe.com
4292	RegAsm.exe

Drops startup file 1 IoCs

Processes:

Nascondere.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LMDUbsNmfa.url Nascondere.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LMDUbsNmfa.url	Nascondere.exe.com

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp7367.tmp.exetmp7367.tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tmp7367.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tmp7367.tmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tmp7367.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tmp7367.tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

57 eth0.me

flow	ioc
57	eth0.me

Drops file in System32 directory 8 IoCs

Processes:

OfficeC2RClient.exeOfficeC2RClient.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-wal	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shm	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-wal	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shm	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db	OfficeC2RClient.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Nascondere.exe.comNascondere.exe.com

description	pid	process	target process
PID 3840 set thread context of 3820	3840	Nascondere.exe.com	RegAsm.exe
PID 3176 set thread context of 4292	3176	Nascondere.exe.com	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

Processes:

OfficeC2RClient.exeOfficeC2RClient.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,17110988,7153487,39965824,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,39965824,7153487,17110988,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeC2RClient.exe

Modifies registry class 44 IoCs

Processes:

FileSyncConfig.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3580 PING.EXE
1708 PING.EXE

pid	process
3580	PING.EXE
1708	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeRegAsm.exe

pid	process
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe
3820	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Tornado.exepowershell.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1892	Tornado.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	3820	RegAsm.exe
Token: SeDebugPrivilege	4292	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OfficeC2RClient.exeOfficeC2RClient.exe

pid process

4936 OfficeC2RClient.exe
4076 OfficeC2RClient.exe

pid	process
4936	OfficeC2RClient.exe
4076	OfficeC2RClient.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

Tornado.exetmp7367.tmp.execmd.execmd.exeNascondere.exe.comNascondere.exe.comtmp7367.tmp.execmd.execmd.exeNascondere.exe.comNascondere.exe.com

description	pid	process	target process
PID 1892 wrote to memory of 3220	1892	Tornado.exe	powershell.exe
PID 1892 wrote to memory of 3220	1892	Tornado.exe	powershell.exe
PID 1892 wrote to memory of 3220	1892	Tornado.exe	powershell.exe
PID 1892 wrote to memory of 4036	1892	Tornado.exe	tmp7367.tmp.exe
PID 1892 wrote to memory of 4036	1892	Tornado.exe	tmp7367.tmp.exe
PID 1892 wrote to memory of 4036	1892	Tornado.exe	tmp7367.tmp.exe
PID 4036 wrote to memory of 3628	4036	tmp7367.tmp.exe	dllhost.exe
PID 4036 wrote to memory of 3628	4036	tmp7367.tmp.exe	dllhost.exe
PID 4036 wrote to memory of 3628	4036	tmp7367.tmp.exe	dllhost.exe
PID 4036 wrote to memory of 4476	4036	tmp7367.tmp.exe	cmd.exe
PID 4036 wrote to memory of 4476	4036	tmp7367.tmp.exe	cmd.exe
PID 4036 wrote to memory of 4476	4036	tmp7367.tmp.exe	cmd.exe
PID 4476 wrote to memory of 3252	4476	cmd.exe	cmd.exe
PID 4476 wrote to memory of 3252	4476	cmd.exe	cmd.exe
PID 4476 wrote to memory of 3252	4476	cmd.exe	cmd.exe
PID 3252 wrote to memory of 3424	3252	cmd.exe	findstr.exe
PID 3252 wrote to memory of 3424	3252	cmd.exe	findstr.exe
PID 3252 wrote to memory of 3424	3252	cmd.exe	findstr.exe
PID 3252 wrote to memory of 4292	3252	cmd.exe	Nascondere.exe.com
PID 3252 wrote to memory of 4292	3252	cmd.exe	Nascondere.exe.com
PID 3252 wrote to memory of 4292	3252	cmd.exe	Nascondere.exe.com
PID 3252 wrote to memory of 3580	3252	cmd.exe	PING.EXE
PID 3252 wrote to memory of 3580	3252	cmd.exe	PING.EXE
PID 3252 wrote to memory of 3580	3252	cmd.exe	PING.EXE
PID 4292 wrote to memory of 3840	4292	Nascondere.exe.com	Nascondere.exe.com
PID 4292 wrote to memory of 3840	4292	Nascondere.exe.com	Nascondere.exe.com
PID 4292 wrote to memory of 3840	4292	Nascondere.exe.com	Nascondere.exe.com
PID 3840 wrote to memory of 3820	3840	Nascondere.exe.com	RegAsm.exe
PID 3840 wrote to memory of 3820	3840	Nascondere.exe.com	RegAsm.exe
PID 3840 wrote to memory of 3820	3840	Nascondere.exe.com	RegAsm.exe
PID 3840 wrote to memory of 3820	3840	Nascondere.exe.com	RegAsm.exe
PID 3840 wrote to memory of 3820	3840	Nascondere.exe.com	RegAsm.exe
PID 1892 wrote to memory of 4868	1892	Tornado.exe	tmp7367.tmp.exe
PID 1892 wrote to memory of 4868	1892	Tornado.exe	tmp7367.tmp.exe
PID 1892 wrote to memory of 4868	1892	Tornado.exe	tmp7367.tmp.exe
PID 4868 wrote to memory of 1624	4868	tmp7367.tmp.exe	dllhost.exe
PID 4868 wrote to memory of 1624	4868	tmp7367.tmp.exe	dllhost.exe
PID 4868 wrote to memory of 1624	4868	tmp7367.tmp.exe	dllhost.exe
PID 4868 wrote to memory of 4608	4868	tmp7367.tmp.exe	cmd.exe
PID 4868 wrote to memory of 4608	4868	tmp7367.tmp.exe	cmd.exe
PID 4868 wrote to memory of 4608	4868	tmp7367.tmp.exe	cmd.exe
PID 4608 wrote to memory of 1340	4608	cmd.exe	cmd.exe
PID 4608 wrote to memory of 1340	4608	cmd.exe	cmd.exe
PID 4608 wrote to memory of 1340	4608	cmd.exe	cmd.exe
PID 1340 wrote to memory of 1608	1340	cmd.exe	findstr.exe
PID 1340 wrote to memory of 1608	1340	cmd.exe	findstr.exe
PID 1340 wrote to memory of 1608	1340	cmd.exe	findstr.exe
PID 1340 wrote to memory of 1904	1340	cmd.exe	Nascondere.exe.com
PID 1340 wrote to memory of 1904	1340	cmd.exe	Nascondere.exe.com
PID 1340 wrote to memory of 1904	1340	cmd.exe	Nascondere.exe.com
PID 1340 wrote to memory of 1708	1340	cmd.exe	PING.EXE
PID 1340 wrote to memory of 1708	1340	cmd.exe	PING.EXE
PID 1340 wrote to memory of 1708	1340	cmd.exe	PING.EXE
PID 1904 wrote to memory of 3176	1904	Nascondere.exe.com	Nascondere.exe.com
PID 1904 wrote to memory of 3176	1904	Nascondere.exe.com	Nascondere.exe.com
PID 1904 wrote to memory of 3176	1904	Nascondere.exe.com	Nascondere.exe.com
PID 3176 wrote to memory of 4292	3176	Nascondere.exe.com	RegAsm.exe
PID 3176 wrote to memory of 4292	3176	Nascondere.exe.com	RegAsm.exe
PID 3176 wrote to memory of 4292	3176	Nascondere.exe.com	RegAsm.exe
PID 3176 wrote to memory of 4292	3176	Nascondere.exe.com	RegAsm.exe
PID 3176 wrote to memory of 4292	3176	Nascondere.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Tornado.exe
"C:\Users\Admin\AppData\Local\Temp\Tornado.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAiAEMAOgBcACIA
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Users\Admin\AppData\Local\Temp\tmp7367.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7367.tmp.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
3⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Starne.mid
3⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^kXhUbWhdyiSzQwKWBBZJjppRDRvuTjJfOgrsoBnWshULiZzcvfBNflRwOcsFmuvSnDFCYzOqeeaZfbKDnwKEL$" Sorte.mid
5⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.com
Nascondere.exe.com W
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.com W
6⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3840

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\SysWOW64\PING.EXE
ping localhost
5⤵
- Runs ping.exe
PID:3580

C:\Users\Admin\AppData\Local\Temp\tmp7367.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7367.tmp.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
3⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Starne.mid
3⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^kXhUbWhdyiSzQwKWBBZJjppRDRvuTjJfOgrsoBnWshULiZzcvfBNflRwOcsFmuvSnDFCYzOqeeaZfbKDnwKEL$" Sorte.mid
5⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nascondere.exe.com
Nascondere.exe.com W
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nascondere.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nascondere.exe.com W
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\SysWOW64\PING.EXE
ping localhost
5⤵
- Runs ping.exe
PID:1708

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4936

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"
1⤵
- Modifies registry class
PID:3520

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ambo.mid
MD5
e44fd575c6528190adc21c41297c7f0f

SHA1
4a834789bb3ddeea37cd30861a4c0bb639eeafed

SHA256
9ae0b37e4b26a6684eed731f3c3958e3661a3da9a89759825b97efebfe183547

SHA512
443f8aff20c51f236b16eba5dbe3890d157f85909ab36b1d084142836a343e6acb97e752d18819bec62e1458a038d9b24c609602dc3cbef87d959e597e0af19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ami.mid
MD5
c2a501f010bf7b1c7a9777c3b93e19ef

SHA1
d00adfeb88b435786f32cf7f45c1aae141690600

SHA256
312d9b0380e5d8fd0bbee92b5d7f22a09b9278cbd7457777a08e2df5a859aff9

SHA512
2850ad61312adc4d059e62c7dfaebabaa74ac280773e24920b746a56884d8c490b1d5c6637d56c966ca284a9cd515330d38faff55cfe77a1bd11f54f2c82f6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorte.mid
MD5
ca6c6b8893411108280a0daf1a4d7d61

SHA1
b791c3cdec5711baafa7be643d2d9a0a10ae0835

SHA256
61b5e21e9798a8bf59a1c2e284d78d86706b4dc9bd6bef46bce54af95886bb46

SHA512
c0f8c6e6c08a96d6bc9b77af1f300d45b011faa606c85b6220b89d890692d200230c16a206fa6c94a5f9e1568eb10181199a0d6b80b94f80706a5cd00f4fdbcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Starne.mid
MD5
603011f56db8309b2d5c4ea0a1c57a47

SHA1
91ffdd8dbc6c5935c954f2764bec480ae32a1432

SHA256
5e4c34d70260f9bc2ce9f44b8fdef503667493f8d7c9d13b659da3b270a053f0

SHA512
b1d53112fb89fc755e3933e88bcabd1ce2a2aa0032c948530769d96d06ca066d106fcdf2127348e618c7aac8b24b21ddbbdbdfd5113a641dbcd2da217d9ebdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W
MD5
e44fd575c6528190adc21c41297c7f0f

SHA1
4a834789bb3ddeea37cd30861a4c0bb639eeafed

SHA256
9ae0b37e4b26a6684eed731f3c3958e3661a3da9a89759825b97efebfe183547

SHA512
443f8aff20c51f236b16eba5dbe3890d157f85909ab36b1d084142836a343e6acb97e752d18819bec62e1458a038d9b24c609602dc3cbef87d959e597e0af19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ambo.mid
MD5
e44fd575c6528190adc21c41297c7f0f

SHA1
4a834789bb3ddeea37cd30861a4c0bb639eeafed

SHA256
9ae0b37e4b26a6684eed731f3c3958e3661a3da9a89759825b97efebfe183547

SHA512
443f8aff20c51f236b16eba5dbe3890d157f85909ab36b1d084142836a343e6acb97e752d18819bec62e1458a038d9b24c609602dc3cbef87d959e597e0af19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ami.mid
MD5
c2a501f010bf7b1c7a9777c3b93e19ef

SHA1
d00adfeb88b435786f32cf7f45c1aae141690600

SHA256
312d9b0380e5d8fd0bbee92b5d7f22a09b9278cbd7457777a08e2df5a859aff9

SHA512
2850ad61312adc4d059e62c7dfaebabaa74ac280773e24920b746a56884d8c490b1d5c6637d56c966ca284a9cd515330d38faff55cfe77a1bd11f54f2c82f6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nascondere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nascondere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nascondere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sorte.mid
MD5
ca6c6b8893411108280a0daf1a4d7d61

SHA1
b791c3cdec5711baafa7be643d2d9a0a10ae0835

SHA256
61b5e21e9798a8bf59a1c2e284d78d86706b4dc9bd6bef46bce54af95886bb46

SHA512
c0f8c6e6c08a96d6bc9b77af1f300d45b011faa606c85b6220b89d890692d200230c16a206fa6c94a5f9e1568eb10181199a0d6b80b94f80706a5cd00f4fdbcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Starne.mid
MD5
603011f56db8309b2d5c4ea0a1c57a47

SHA1
91ffdd8dbc6c5935c954f2764bec480ae32a1432

SHA256
5e4c34d70260f9bc2ce9f44b8fdef503667493f8d7c9d13b659da3b270a053f0

SHA512
b1d53112fb89fc755e3933e88bcabd1ce2a2aa0032c948530769d96d06ca066d106fcdf2127348e618c7aac8b24b21ddbbdbdfd5113a641dbcd2da217d9ebdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\W
MD5
e44fd575c6528190adc21c41297c7f0f

SHA1
4a834789bb3ddeea37cd30861a4c0bb639eeafed

SHA256
9ae0b37e4b26a6684eed731f3c3958e3661a3da9a89759825b97efebfe183547

SHA512
443f8aff20c51f236b16eba5dbe3890d157f85909ab36b1d084142836a343e6acb97e752d18819bec62e1458a038d9b24c609602dc3cbef87d959e597e0af19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7367.tmp.exe
MD5
44150395748c027ef5f8eed812f620b0

SHA1
0d26c44e5e93a08da7504344498d3275ca11653e

SHA256
144525451ace8e714f95f6235f310b6959871e559e11f33f3164006a02832a7f

SHA512
5ba96935ebacd7c4e377c3171d411e7383132eed1c087ef66c3fe1a54987f826ac9221a1f43f4cc6627d184f7621dca6858b84ae692bde127bdf9d3a7bc04a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7367.tmp.exe
MD5
44150395748c027ef5f8eed812f620b0

SHA1
0d26c44e5e93a08da7504344498d3275ca11653e

SHA256
144525451ace8e714f95f6235f310b6959871e559e11f33f3164006a02832a7f

SHA512
5ba96935ebacd7c4e377c3171d411e7383132eed1c087ef66c3fe1a54987f826ac9221a1f43f4cc6627d184f7621dca6858b84ae692bde127bdf9d3a7bc04a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7367.tmp.exe
MD5
44150395748c027ef5f8eed812f620b0

SHA1
0d26c44e5e93a08da7504344498d3275ca11653e

SHA256
144525451ace8e714f95f6235f310b6959871e559e11f33f3164006a02832a7f

SHA512
5ba96935ebacd7c4e377c3171d411e7383132eed1c087ef66c3fe1a54987f826ac9221a1f43f4cc6627d184f7621dca6858b84ae692bde127bdf9d3a7bc04a4c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db
MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
memory/1340-434-0x0000000000000000-mapping.dmp

Download
memory/1608-435-0x0000000000000000-mapping.dmp

Download
memory/1624-431-0x0000000000000000-mapping.dmp

Download
memory/1708-440-0x0000000000000000-mapping.dmp

Download
memory/1892-118-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/1892-119-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/1892-115-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/1892-120-0x0000000005450000-0x000000000594E000-memory.dmp

Filesize
5.0MB

Download
memory/1892-117-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/1892-121-0x0000000005450000-0x000000000594E000-memory.dmp

Filesize
5.0MB

Download
memory/1904-438-0x0000000000000000-mapping.dmp

Download
memory/3176-442-0x0000000000000000-mapping.dmp

Download
memory/3220-131-0x00000000081A0000-0x00000000081A1000-memory.dmp

Filesize
4KB

Download
memory/3220-176-0x0000000005073000-0x0000000005074000-memory.dmp

Filesize
4KB

Download
memory/3220-174-0x000000007F2D0000-0x000000007F2D1000-memory.dmp

Filesize
4KB

Download
memory/3220-171-0x0000000009E10000-0x0000000009E11000-memory.dmp

Filesize
4KB

Download
memory/3220-170-0x0000000009D20000-0x0000000009D21000-memory.dmp

Filesize
4KB

Download
memory/3220-169-0x0000000009BE0000-0x0000000009BE1000-memory.dmp

Filesize
4KB

Download
memory/3220-164-0x0000000009A30000-0x0000000009A31000-memory.dmp

Filesize
4KB

Download
memory/3220-156-0x0000000009A50000-0x0000000009A83000-memory.dmp

Filesize
204KB

Download
memory/3220-144-0x00000000096C0000-0x00000000096C1000-memory.dmp

Filesize
4KB

Download
memory/3220-143-0x000000000A140000-0x000000000A141000-memory.dmp

Filesize
4KB

Download
memory/3220-139-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/3220-138-0x00000000089B0000-0x00000000089B1000-memory.dmp

Filesize
4KB

Download
memory/3220-137-0x0000000008A40000-0x0000000008A41000-memory.dmp

Filesize
4KB

Download
memory/3220-136-0x0000000008070000-0x0000000008071000-memory.dmp

Filesize
4KB

Download
memory/3220-135-0x0000000008600000-0x0000000008601000-memory.dmp

Filesize
4KB

Download
memory/3220-134-0x0000000005072000-0x0000000005073000-memory.dmp

Filesize
4KB

Download
memory/3220-133-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3220-132-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/3220-130-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/3220-129-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/3220-128-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/3220-127-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/3220-126-0x0000000007760000-0x0000000007761000-memory.dmp

Filesize
4KB

Download
memory/3220-125-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3220-124-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/3220-123-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/3220-122-0x0000000000000000-mapping.dmp

Download
memory/3252-393-0x0000000000000000-mapping.dmp

Download
memory/3424-394-0x0000000000000000-mapping.dmp

Download
memory/3580-399-0x0000000000000000-mapping.dmp

Download
memory/3628-390-0x0000000000000000-mapping.dmp

Download
memory/3820-423-0x0000000004F20000-0x0000000004FB2000-memory.dmp

Filesize
584KB

Download
memory/3840-405-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3840-401-0x0000000000000000-mapping.dmp

Download
memory/4036-387-0x0000000000000000-mapping.dmp

Download
memory/4292-397-0x0000000000000000-mapping.dmp

Download
memory/4292-461-0x0000000004F10000-0x000000000540E000-memory.dmp

Filesize
5.0MB

Download
memory/4476-391-0x0000000000000000-mapping.dmp

Download
memory/4608-432-0x0000000000000000-mapping.dmp

Download
memory/4868-429-0x0000000000000000-mapping.dmp

Download