azov | 8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
Size

319KB
MD5

e875f3e021beab1203a92da7fbe51490
SHA1

36dfa6259dcaf170959c56ea54b85233bfbff4c7
SHA256

8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99
SHA512

2f2f21279c80385e7a246941e43091fe8988bf886395c0ad260ae435a992dea77f1c036b174da7d54c6ecd3fab2af22a6bea6985c79520574694e86191241a2e
SSDEEP

6144:vwU64s9KvnLbLtvSVLx9y9TBA3QvEOpP7WYhw1bRh2Z:vc4s9KvfZ679y9TagvEEP6SwR+

Score

10^/10

azov persistence ransomware spyware stealer wiper

Malware Config

Signatures

Azov
A wiper seeking only damage, first seen in 2022.
ransomware wiper azov
Renames multiple (7418) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe"	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe

description	ioc	process
File opened (read-only)	\??\G:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\H:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\P:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\T:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\U:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\I:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\R:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\V:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\X:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\B:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\E:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\M:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\N:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\O:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\S:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\A:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\J:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\K:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\L:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\W:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00390_.WMF	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.DPV	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfxrt.jar	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.msi	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDCNCLS.ICO	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\La_Paz	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CST6CDT	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Half.png	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1CACH.LEX	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107042.WMF	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0324704.WMF	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME04.CSS	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_s.png	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198234.WMF	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\RESTORE_FILES.txt	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\RESTORE_FILES.txt	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Brunei	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\MSB1ENFR.ITS	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00172_.WMF	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01296_.GIF	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\RESTORE_FILES.txt	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RESTORE_FILES.txt	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CharSetTable.chr	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREST.CFG	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\HEADER.GIF	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\RESTORE_FILES.txt	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\RESTORE_FILES.txt	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\RESTORE_FILES.txt	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01066_.WMF	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0230876.WMF	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\RESTORE_FILES.txt	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\RESTORE_FILES.txt	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sitka	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\RESTORE_FILES.txt	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ADO210.CHM	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR7F.GIF	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.Xml.xml	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\RESTORE_FILES.txt	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\SATIN.INF	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.TTS	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00176_.GIF	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196400.WMF	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21296_.GIF

Filesize
666B

MD5
0d6efe9e22f4663da48b74abfb8d6e3c

SHA1
f22e480caf4d1f1648ee711697595251c0c4faaa

SHA256
87ae0c9fc09e0df730afb5dad3535626355b79db030053a16357711f9fce6d7f

SHA512
21237bd01e4d9bf02615e99fc0d75733b5cd0eee716d216738ad9a925451c63cd49d7674bbe35bdc5c0162b6acd06dd9d4016f04372af2a198e488b40340e155

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF

Filesize
666B

MD5
92971e56da6d183be1cb602785d8eb52

SHA1
a605512ebed29ebf739a0e84870697f3ec13ad18

SHA256
63500e52b291c993b1ef85755669bd7161baaa62985e80c98fecff2162b9f308

SHA512
5db3ee734f8494acc445abb8bfa2b9b6841877d3b84a2ee106d06a2cdaed9fbfeaf457602a529bd0017b26e88bb8913f94a177c781a5fd3dbd125bdbb7fdc071

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21300_.GIF

Filesize
666B

MD5
e6addf1b14151e3723fd27cbfb7ab844

SHA1
a049cae20ce7b726170a15c23c9b02cfe83e4d0e

SHA256
b7370e850d55eba528ee967c085ecb4c962f5fd3906a5dddb3885f52e36494a8

SHA512
d1139d8d2b06ea9ad27d4669d0d3f1a5a4891da4b5d71e5cebab553991fb632f1d202a8df835cdb6a03554e81cbcd614f4ef841adacf8ba142c4675c9e326ecc

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21301_.GIF

Filesize
666B

MD5
cbc4fb2d071aa9ac265b468c8d6e38bd

SHA1
5755b8a817916931f4a0d4e4934228551230b3d3

SHA256
cb727e38440c4427412cc1658c706ff88e6c17e155ccf8a7a26f260fe8245fe3

SHA512
c4caecc61453f86f1774b2d2c9a3fd96ebd39c7dc9be2999006a1e523cf299b49f3d9851863d5ed87a5c2ae97a9058d791036ccb2cca1c7367eb4755e41f799e

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21302_.GIF

Filesize
666B

MD5
fe4f22290cded8d8079754a3144c6719

SHA1
5dd190403f45f1093fa6d6241643001f4ea7f0e9

SHA256
33e3259e76116b7c02d327d2bed50311e09c15cf6805f6bec45a9e73c0683e74

SHA512
99be9ad0728f741ec282caa658ba962be36756b9561ed08ff87d8ca332bbac23c298396444fada1d5722a28cf5f5fecfc8fb222e257218e8f7a597e56f572ad9

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21306_.GIF

Filesize
666B

MD5
3d221da4d5274afa329c53c0604af3fc

SHA1
184745aff0f567c9aa1e8913ec40f8768395b709

SHA256
6790645e033b8c3e8499c76cf50f6ee8160cc5cf17988aec4776b89834178157

SHA512
1dfac52f950c4fb58acad92ffc25476b8b2b56065412e1e9b8d0f029ea4e3c3d50da1fc8276bbd40f473dfb2f2db278e3de3946bc638ac1dbf4cc0f1c3521196

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21312_.GIF

Filesize
666B

MD5
69306e65dba4dd314dce299e32464996

SHA1
a3b7d38609e7993f5ff9044725992f2783b70c66

SHA256
690eed720fbc614c277c7ae974a48466d2a52d9120b1d2ead1abb04234da27cf

SHA512
43400ed2770cf60073bfff04c2b9817f49c47996b526da7b090f2c815286fe5fd752f6657bbbe57229b3e1305a0ae7054ec6562ba479b8c8cfc408a1821d1fc3

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21314_.GIF

Filesize
666B

MD5
7a7ca15fb4f02caae3c6a039a0ad2b90

SHA1
9b2a97ba1cf38dc6202192d8bf2d3aa318fe2575

SHA256
dab8c4ffb87ed70d8b03d4f2bad2a82f06b0593e4651bb180932a05ffbf7a6ba

SHA512
1640715cf04f1c11b403a290d7b566ff706418aec6ec5e4e419536f0e1175f48ae19babe9ec30e5e122f615fed8af447e27fd5cba0ca1febfe208128e5cfc3b3

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21316_.GIF

Filesize
666B

MD5
eef511fff9c69d2b6697a37cd53e730e

SHA1
82cf8fa9b81354a972be38a1058a22ee3c9d7ef4

SHA256
757e43b3ba35d43eca4f56f848dd627eb42994e420eb01bcea11c4ad0985e5b2

SHA512
cb80830c05c4906184514a7e157b27992809866a31db8f0527a9170e05a5842997f5876c65fe60e399db42efd63964fa6fab965609e69fcaaa6c63123da990c1

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21329_.GIF

Filesize
666B

MD5
6cb41a9d42860d4aeb4dfa017aaf9865

SHA1
5af3f2730665fe2b7d33eac3a7f5bfb92b25576d

SHA256
9decd78a144292fa22639e57644701a741fbcd17ac2cce863ccf652abc8c3b6d

SHA512
986edbb10a48c7177bf8c093a42e20484014c01e24bad588db52773209749e6e5e3d842fec1f2e4ea12b66076ed4c5082c23a617c642c0ead72c9df56f6c43fe

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21333_.GIF

Filesize
666B

MD5
c2a0d5408dbbfcef9b2dbf24efb5f342

SHA1
8883d01165b930a1074e184160b3abf64164163b

SHA256
e659da8dacab3ab3a7582771a09582b1ef0cfadd563ea5fbc4a5641d46372523

SHA512
b3a091d933f790238daff39aada3fce18e2cfca24b54bfb7ce669e27c259145a76bfe2db4f39bdf21206a2718f7c164bf447e240bf0267f54e4579763f0e7ac1

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF

Filesize
666B

MD5
6ccda9b42fe1b5dd04b65d6c9d95b636

SHA1
be7c6b9aa4d831c28a1e69aa9feaffe06328b8d2

SHA256
c2c28bf504cb821de6c576736d2548bc48e64e8fb7d6aaba45b3fd3223c28bd4

SHA512
a895a1e139288552f4486a841fc83808323e5d7174cdba09f019ec779a6cba8efacb8400cf480a30ce3b597be11817f153c11d17d1245a01f6f4dcd13deec90e

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21339_.GIF

Filesize
666B

MD5
c39bb6b315815250949bbef2fd3e80a5

SHA1
8757bb38193df7b5d21ed22d7ec32457e5e38e9d

SHA256
7beb914935e788d46104f62f7d9307dc532020a80937524a94408a2f7ae8c844

SHA512
7992cec3a7cfc555951afe2e0d19889450d5385e4bf3a231ae3892fdf524144510ed4f0e3d3c20145d0cbf590a9d7f3c0be3176dc785baed30ee5ac3d00a3af5

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF

Filesize
666B

MD5
238e67e2a529bb2cd4c82d1f3a5b9066

SHA1
b536050beb3c1573e132df7df2c18acb53d4c227

SHA256
887c99c5d13f521f3e59a2535e87b72b6a7b8e90b0bf0b09a54db4ce87533868

SHA512
ce7610855c9cf1b7b5b6d08b2ebf36cb995dd2e7934df744252e205724ba107848c83a2f5f61f75ef9f09e8b0b07e07b1f425bf0e47d532b2b2c210fb3ac87c2

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF

Filesize
666B

MD5
424486436f2839e5861f53bc5e6bf90a

SHA1
2b111fb676a2a24fec18ee2bb55ed9cf9771174a

SHA256
0080d6e331b9c4c338bc6d0b7c192f61037a836a3fdebcd1aca296b67474a9d2

SHA512
59d78b7d4c3599fe9e90b99cf723cc79048418a97c84ce108b07af3f39de06937d7539874e3f16b7a19011cbd72b14737b6f296644b329ed91bcae695e28f151

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21344_.GIF

Filesize
666B

MD5
129dc1fee57881485baaf2d5d25ed774

SHA1
4dd427b10adca4910241cf20bc285f13f56c3245

SHA256
27f54009cb51fde755838ed00684f3ed56526287c3c24fc7b42d65aee11ab013

SHA512
cbcb7d3f4e7d1bddb417aa317ebcca644c37b9dd2580207e55bf99ec3a2796fd6df0b01d966314d0d5649316b954814b00a8b9c3ed569d5847287b36bf8a3be1

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21364_.GIF

Filesize
666B

MD5
d6dff69d5bcc595bd1ff84293a46e136

SHA1
b078acc015de4b1a22bab03d852b0231bef4c441

SHA256
f8d0e44fe7d1449f34a77ef0c091e3e8a1826cf60c8596c683c0775094c2cc82

SHA512
46f044bd5e40ce27fbf7713009ba9b5b6cf7d578a1cada211e1d3d33081684c83f402099d4a2e65b295146e186f0033a645283f9b650b5dd9abacd1a48dd3e23

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21365_.GIF

Filesize
666B

MD5
5f53333ea55a47067901f3205d72330c

SHA1
8c60b066429d9377ec2543f93f21b3f3f32c3fc5

SHA256
3a117a2f235aca27ed9640a501a47403a9fec16158736808e02d238903818a11

SHA512
557bb544f78e4f645c69d2a811eef2e6dfde4979f41138a058232c3dd4c00c478845431d00c4686334c74336209dbaa667d684a35561056d6a3639a7b0481c43

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21366_.GIF

Filesize
666B

MD5
da058ecd5f75e1674e69d4e3ad428cfc

SHA1
64f4ef69cc356756ead8b87852291e1521a8fe00

SHA256
8d9fda9b6616dc3655b2074c2d03cebca80969cf9038be0148161f8e80a7561b

SHA512
1c974618f7bc0b3273c58072c8f917520cdf2691823a3702669b4ded7ec1f69573ae0707511e403a7df9c20afe39b5f8fd75650f48da8e6869ab6bf95e466c2d

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21375_.GIF

Filesize
666B

MD5
ab32b90e581deb3f1737330d03d3e5a0

SHA1
81a413c21e33a4fd990129119dec44654eb032e1

SHA256
de556da713b661bb80df503197fcb13323f42f3ff49f5ab4a09e37bc12fb3f9c

SHA512
935b4f29efc636b4b97a285959af150e102e97f33887184c540c5dbf0ba71bc7d81c124b47392cea368e0dd4bc61fb6fe05332f101e453a61ab21b3a6ee4efbe

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21376_.GIF

Filesize
666B

MD5
fd95e22817c815954d724858a5edc1c5

SHA1
b57f1e8e4bdb5dfae334aeae955e33bc0172bcfe

SHA256
0af5fec21ba86a5a76e5ec00760d2d233805c7ce0b2882f38350602508b542fa

SHA512
50e8f6170b0740a770239bf5dec1b9026488098b69d0018d59a9880047b7adfe8dfdb7ba30a0f0d00555e07e1891c14b073cd3b44e44dde2799a63a803f614dd

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF

Filesize
666B

MD5
066303bf4ab6bf857ad72717830cbed7

SHA1
5353b05bc60f6c4907941a88f452e26a50e7108b

SHA256
e6d6b09fd8ba6ad88eba412de561a85cd48cc2d706c82a02aa2c52a9e0148fd0

SHA512
34835e49ff737920128693ac7e054fa70deaef16ce20d7f33c797a5fc57fcf11e0671342cf1833f76ad3386bc22d9702cfb430e72dbfbac01b806b93ccadfff0

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21398_.GIF

Filesize
666B

MD5
c8d57c9cd6015869266da901098099d8

SHA1
15397f627115ba9a082235e5c8393202dee28cf7

SHA256
9d1bf22e0e1ce6a2168a20a29cc71d97eade0304d6270f2b930ee01e214144e8

SHA512
d11a118bd6cb8cd8e5409f788ec8a2e4b74e2a09aa98f55d2bd6ed8c2a441bc2768f3d0feaf5d5b5debae08f4535c05b0a3e9db01805c2fba9681967d1e53886

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF

Filesize
666B

MD5
01d82756f0218d5cf53215eb090af1df

SHA1
7d8c56117d2e9177312022c6c11a29cbd0e6dae8

SHA256
75c951b7a3befbd02236ccd7e8f821eaa4c6c791d1a224f04bd260ae73277fea

SHA512
26490e03520185c0bbb2deb0b582704076869e20f39c956d962c596c7e4fa68ca55fa17291195b32ee761bc0a547d8be31d57717263fb0f2153b5e4a51d7c3f0

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21400_.GIF

Filesize
666B

MD5
dd2149a4dd1ca32ef809aca4d788d3b1

SHA1
81c1ada7a63d3d4c8b16d38555592433b4f44cb5

SHA256
25043567cd473f932f1dc742d92656d3e061c812b3aa1d28e2fedae1e7daa4c8

SHA512
07dfcabf0049dcee791cad982c3b24a9b48d4347e3cc7847f449b8cd9b6e4bd25374535a33ce99115ac48e87fd6cdaadda14a4b57291de06b969c3163e1531ad

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF

Filesize
666B

MD5
2fdea54a65caa145b311a2b52c0eae76

SHA1
4c7e07c0a4dc7e6f8fb760b287c6ae6c7c802a7f

SHA256
e5d457d268d67194dc4bb37f1179f4c0e765dee5d038c23150b09ce1b0324272

SHA512
847c82203586a8ca46bacdd21db3ca33b38feb8685eb77482aba3db19be254972ea7b43df5150d310d5569ded4325370ec55d492e9360210bfe5e88f893dc936

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21423_.GIF

Filesize
666B

MD5
0b0327e3bca1606a635e3ad541b515f3

SHA1
3057380f3c99d9eff0ee0f43dfaa3cf8c92fc029

SHA256
c42c618486eb2bf315f9b816ace0b19cbe150ba356fc34c040b6838b6c21f6d4

SHA512
48181b1a5ec4f2442c9df257cb212fb27ee28bf739db637139438e853043ccf7372acc247f4420a49ef7f57213d9b34d7be48fbf7fba736dcd615c6022692a04

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF

Filesize
666B

MD5
f09247d218c558f88384de133d991619

SHA1
f23f8609a50ed2af817e2980b130b539e62b221f

SHA256
ddfb00e42795205f8283a34dfeae002c3f689716e989e171fb33a13af564b951

SHA512
1095fb950c6f89428babb54ca9b2421628c26ebe251d5d42e9fabd53d71349a44076f77c2d70ba7ab7d042c31c359de6dda81bb2a4d7e73193fcbf0502407d68

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21482_.GIF

Filesize
666B

MD5
3778970e9c5b1bb55bc9208351a1f19d

SHA1
903847d5b9eb9e0bf2f5f6023b09fccdf6e23c34

SHA256
caa8f33297938b168e2027f34f9adc612442984bc2f234fb503c4d26168c3054

SHA512
1acfdcfacd08d41ad16223ec73675a2e4c1ae7514e4f52be5ac17a103cea326c470c7fd65ebcef5c8ee761f9408d2dc99f4ec4cd799e6c6c001d30cc954d157c

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF

Filesize
666B

MD5
eca6a840b2d26c2ea5ac6fbc5c8cf677

SHA1
523ad909ca4d3f6a57d0889c1440a4f3615e6096

SHA256
e025b40bb8662b36050c0073ac019e4eb71a12bcf6456aa888380442fa139a81

SHA512
89654e0b28dc9f00826419c2fc88ca87478b6ac8dce2c4ff5f44b8646a8ffd5a6c5c2c2c9c537dcedde7ca0825be1db2e20658cd77400c526824cdcaabc0cea7

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF

Filesize
666B

MD5
66440ef0e44db3b1b726c16259df89f1

SHA1
6768ab319ce698bd943cdff114c25b23b72ae610

SHA256
99f4ae8090a633f21385f31305de6c9c574dfcabff7e18c4f74ead64b1c47abd

SHA512
09171c58619345b673912fff0b4dd2c15b93622c6161769d673047574ec28ddf3cb9548d4a024143c6a8783514123f531e47d696d4b51763f8e2d54d3db370cc

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21533_.GIF

Filesize
666B

MD5
a97ddf7b25f112dd895efdb3b909df48

SHA1
2a475c0a8fe9e78b098190f9e9f0ca498eaaa47e

SHA256
6093cea73a8cea9ae50066401e424e61962f2cda8fb629e102f76ea204819bc5

SHA512
9b2fccb4474411cb2a2bd4baf90ae064e7e601c54317c0f8233b6071c29c857e431e1c09b3704cc2cde1d46e9a0874078498e60c65dac69d219c1ca46e493c54

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21535_.GIF

Filesize
666B

MD5
dc50bf861b55178558478e900d06a41c

SHA1
b40f0624a109a316c0d8d358f551bccd85ab0088

SHA256
9415ce34e8f9715d6aeeacc02dc7012a73264e982b4ddd65d91cd557c71c4d31

SHA512
6132740b46ea88db595edd8b21d42717a3affb0df212582c636c52a6a1fc8fd9a00f7540a54e355e37c6dfb11a05061eb2554ac06248a07c7a44fb6b70ec1113

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115834.GIF

Filesize
666B

MD5
8f1ec6baae2b0741be7f0b45d5c24701

SHA1
d146cba3ab00ca044ba4f498e45d0b7f38958f81

SHA256
17a1540bc96d1a428fb168de44de7d3252e87421880ee5fcb1306f0d86d0ac1e

SHA512
9cfed3b4aef58fb8acc1894877f80fb360b23d5b3d6f928cea18c4351327c7cb99f07f45c1bdb64a3de8da7063f3bfabbcfabca91ab74c8ba78667efb9773589

Download Submit
C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt

Filesize
2KB

MD5
78ede93114e65f9160fd03d3357c56e6

SHA1
88d531b101e57655f1d0d26c6b3257aa2468d460

SHA256
c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5

SHA512
074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d

Download Submit
memory/2032-7-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/2032-0-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/2032-2-0x000000013FAD0000-0x000000013FB17000-memory.dmp

Filesize
284KB

Download
memory/2032-6-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download
memory/2032-4-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download
memory/2032-8-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download
memory/2032-3-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download