nightingale | 1ae1b2e13a00415f208ca5972b2b6ff5fead584bb3aca4294505e46f56cc5c6c

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02-08-2024 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DEnigmaCrakerV2.exe
Size

59.3MB
MD5

62fadebebf4208af245829dcb4b159b6
SHA1

476d3854d2eaead161e85624f33fbd5a507ac885
SHA256

1ae1b2e13a00415f208ca5972b2b6ff5fead584bb3aca4294505e46f56cc5c6c
SHA512

b25b8b1a179e7b81ad6bfc13349c0ca3056be55156d838cc0f24625920f0dba4e02f513b71308ab49981b59d9f9c385086e4393b9b12fc4f2b134d98a414fb7f
SSDEEP

1572864:2sabzB6M352iHBA8PCwl5qewZJpLfEFZPvLHwHMxwX:2s6zB6yBR4eopyFHRE

Score

10^/10

nightingale credential_access discovery execution persistence pyinstaller spyware stealer

Malware Config

Extracted

Family

nightingale

https://api.telegram.org/bot6708185867:AAFutwCJHLGWBWo0L449U4iLunAo9h3rayQ/sendDocument

Signatures

Nightingale stealer
Nightingale stealer is an information stealer written in C#.
stealer nightingale
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2880	powershell.exe
1748	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2708	sunshine-stealer.exe
2936	tommyv2.exe
2796	Piruken_LetThereBeNightingale_obf.exe
2724	DEnigmaCraker.exe
1936	DEnigmaCraker.exe

Loads dropped DLL 14 IoCs

pid	Process
2760	DEnigmaCrakerV2.exe
2760	DEnigmaCrakerV2.exe
2760	DEnigmaCrakerV2.exe
2760	DEnigmaCrakerV2.exe
2760	DEnigmaCrakerV2.exe
2716	Process not Found
2724	DEnigmaCraker.exe
1936	DEnigmaCraker.exe
1936	DEnigmaCraker.exe
1936	DEnigmaCraker.exe
1936	DEnigmaCraker.exe
1936	DEnigmaCraker.exe
1936	DEnigmaCraker.exe
1936	DEnigmaCraker.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Piruken_LetThereBeNightingale_obf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Piruken_LetThereBeNightingale_obf.exe"	Piruken_LetThereBeNightingale_obf.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000015e87-25.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEnigmaCrakerV2.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings\shell	Piruken_LetThereBeNightingale_obf.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings\shell\open	Piruken_LetThereBeNightingale_obf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings\shell\open\command\	Piruken_LetThereBeNightingale_obf.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings\shell\open\command	Piruken_LetThereBeNightingale_obf.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings	Piruken_LetThereBeNightingale_obf.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1748	powershell.exe
2880	powershell.exe
2796	Piruken_LetThereBeNightingale_obf.exe
2796	Piruken_LetThereBeNightingale_obf.exe
2796	Piruken_LetThereBeNightingale_obf.exe
2796	Piruken_LetThereBeNightingale_obf.exe
2796	Piruken_LetThereBeNightingale_obf.exe
2796	Piruken_LetThereBeNightingale_obf.exe
2796	Piruken_LetThereBeNightingale_obf.exe
2796	Piruken_LetThereBeNightingale_obf.exe
2796	Piruken_LetThereBeNightingale_obf.exe
2796	Piruken_LetThereBeNightingale_obf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe
Token: SeIncBasePriorityPrivilege	2796	Piruken_LetThereBeNightingale_obf.exe
Token: 33	2796	Piruken_LetThereBeNightingale_obf.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2708	2760	DEnigmaCrakerV2.exe	31
PID 2760 wrote to memory of 2708	2760	DEnigmaCrakerV2.exe	31
PID 2760 wrote to memory of 2708	2760	DEnigmaCrakerV2.exe	31
PID 2760 wrote to memory of 2708	2760	DEnigmaCrakerV2.exe	31
PID 2760 wrote to memory of 2936	2760	DEnigmaCrakerV2.exe	32
PID 2760 wrote to memory of 2936	2760	DEnigmaCrakerV2.exe	32
PID 2760 wrote to memory of 2936	2760	DEnigmaCrakerV2.exe	32
PID 2760 wrote to memory of 2936	2760	DEnigmaCrakerV2.exe	32
PID 2760 wrote to memory of 2796	2760	DEnigmaCrakerV2.exe	33
PID 2760 wrote to memory of 2796	2760	DEnigmaCrakerV2.exe	33
PID 2760 wrote to memory of 2796	2760	DEnigmaCrakerV2.exe	33
PID 2760 wrote to memory of 2796	2760	DEnigmaCrakerV2.exe	33
PID 2760 wrote to memory of 2724	2760	DEnigmaCrakerV2.exe	34
PID 2760 wrote to memory of 2724	2760	DEnigmaCrakerV2.exe	34
PID 2760 wrote to memory of 2724	2760	DEnigmaCrakerV2.exe	34
PID 2760 wrote to memory of 2724	2760	DEnigmaCrakerV2.exe	34
PID 2724 wrote to memory of 1936	2724	DEnigmaCraker.exe	36
PID 2724 wrote to memory of 1936	2724	DEnigmaCraker.exe	36
PID 2724 wrote to memory of 1936	2724	DEnigmaCraker.exe	36
PID 2796 wrote to memory of 2848	2796	Piruken_LetThereBeNightingale_obf.exe	37
PID 2796 wrote to memory of 2848	2796	Piruken_LetThereBeNightingale_obf.exe	37
PID 2796 wrote to memory of 2848	2796	Piruken_LetThereBeNightingale_obf.exe	37
PID 2796 wrote to memory of 2844	2796	Piruken_LetThereBeNightingale_obf.exe	39
PID 2796 wrote to memory of 2844	2796	Piruken_LetThereBeNightingale_obf.exe	39
PID 2796 wrote to memory of 2844	2796	Piruken_LetThereBeNightingale_obf.exe	39
PID 2844 wrote to memory of 1748	2844	cmd.exe	41
PID 2844 wrote to memory of 1748	2844	cmd.exe	41
PID 2844 wrote to memory of 1748	2844	cmd.exe	41
PID 2848 wrote to memory of 2880	2848	cmd.exe	42
PID 2848 wrote to memory of 2880	2848	cmd.exe	42
PID 2848 wrote to memory of 2880	2848	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\DEnigmaCrakerV2.exe
"C:\Users\Admin\AppData\Local\Temp\DEnigmaCrakerV2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\sunshine-stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\sunshine-stealer.exe"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\tommyv2.exe
  "C:\Users\Admin\AppData\Local\Temp\tommyv2.exe"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\Piruken_LetThereBeNightingale_obf.exe
  "C:\Users\Admin\AppData\Local\Temp\Piruken_LetThereBeNightingale_obf.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Piruken_LetThereBeNightingale_obf.exe & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Piruken_LetThereBeNightingale_obf.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2880
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1748
- C:\Users\Admin\AppData\Local\Temp\DEnigmaCraker.exe
  "C:\Users\Admin\AppData\Local\Temp\DEnigmaCraker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\DEnigmaCraker.exe
    "C:\Users\Admin\AppData\Local\Temp\DEnigmaCraker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1936

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEnigmaCraker.exe

Filesize
11.8MB

MD5
94bfc145c2876aea5bec18cdceeca296

SHA1
e632e736aa6dc0d73282e1297600c5cea1205ec5

SHA256
4eb912fee24ac5cf2ecbe6ac2bec99907e3554c662a8521fa902814bf6465800

SHA512
0c03ed4b032ec962ae46ffaf91d2de507eea0642e1a0d7cf2a68d15c7b1e3663a63b5c77eb8784755f8da48a883baacd02742d61fc3e429897deb75ad3c4aa28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Piruken_LetThereBeNightingale_obf.exe

Filesize
180KB

MD5
105709672755810c6cbbe74a27792459

SHA1
3ea73f6390c53f9618ef4b2ed37a2b8e6542a6d0

SHA256
d9b9ede277690c91360c23e31dd15d088d2fd5f08eac18b7220b6d393f39eff0

SHA512
54114b363732d6a87ba41a38a932c5fb5d8960847cf1e341296c1eb1a4671a62e2e005a04a7334d9f8c277343fb9d97df3219036d4dc0120ffe501da9e80327c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27242\python312.dll

Filesize
6.6MB

MD5
5c5602cda7ab8418420f223366fff5db

SHA1
52f81ee0aef9b6906f7751fd2bbd4953e3f3b798

SHA256
e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce

SHA512
51c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M1FLDPZGLYMIUXAQ8MAA.temp

Filesize
7KB

MD5
ef15bae01eb4b0338e9d2f2092c2848f

SHA1
2dcf08eced8da611add5d9c9025a13b3e8663359

SHA256
dfa5feb18606fec08c16ce20a5711efce8e83c11654b688679dc7d447dc24fdd

SHA512
2d88e9c5639d275d87ccfe2317a801f9983d7cf27410e76b9f7a632c22a7c6ba6c72c59bc5037677e475a77b71e8e35fca16c8b1d2b798176c594134fb5094d5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
bcb8b9f6606d4094270b6d9b2ed92139

SHA1
bd55e985db649eadcb444857beed397362a2ba7b

SHA256
fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118

SHA512
869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
20ddf543a1abe7aee845de1ec1d3aa8e

SHA1
0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf

SHA256
d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8

SHA512
96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
4380d56a3b83ca19ea269747c9b8302b

SHA1
0c4427f6f0f367d180d37fc10ecbe6534ef6469c

SHA256
a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a

SHA512
1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27242\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2554060f26e548a089cab427990aacdf

SHA1
8cc7a44a16d6b0a6b7ed444e68990ff296d712fe

SHA256
5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044

SHA512
fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27242\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\sunshine-stealer.exe

Filesize
7.3MB

MD5
2e42b264532b45a1ecc0e3dc1f0a3926

SHA1
236841919a6061385c72a8a00d4c97abb5df1087

SHA256
832d472e854d5602410e09f30557fcaf4c84b9c785a583d7480fad76ace1fba5

SHA512
0f93e4b031e017a85e9b24c47c4cca2cda1bf15c4d5ecbc38e3d7841d9ee36cd7df023d507cbfec750bf21890279c1dd704ccd82bd72cffb854fd38b1781c576

Download Submit
\Users\Admin\AppData\Local\Temp\tommyv2.exe

Filesize
40.0MB

MD5
ee4c97a398196ca5b7a0b6cffe5ce836

SHA1
4a60cf7c4df1e10a2ba97240e73d88c9f8715cae

SHA256
bbb1be06910a5246475281d720d8afa5d26426281b7ab762cd039b701bfeb934

SHA512
c79d1933672debe75740ef8526201e660852fbc16a6b0fd5cf7e918fba0fdee749078ff223873eeea7c18eab71c0ef5303f7ce03e4bf8fb5b60c5f4fe6508578

Download Submit
memory/1748-120-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2708-121-0x000000013F5D0000-0x000000013FD28000-memory.dmp

Filesize
7.3MB

Download
memory/2796-75-0x0000000000A30000-0x0000000000A64000-memory.dmp

Filesize
208KB

Download
memory/2880-119-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2936-122-0x000000013F170000-0x0000000141980000-memory.dmp

Filesize
40.1MB

Download