ploutus | 338b3026d18a25a1acebd822892226b41586cc9dfaaa1311e41006676e33cbdb

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-08-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Abdal FTP BruteForce 1.0.exe
Size

142.0MB
MD5

b10bbefa03b5fd41ca93e729d10fe865
SHA1

2e3916e4fd64097f5a56207401aace3dfb57492f
SHA256

338b3026d18a25a1acebd822892226b41586cc9dfaaa1311e41006676e33cbdb
SHA512

51c97bb0867ab291666cd3b859fa57e21c1821da20b393fdc81aee5fe80e6f1b008fabda413880a4fd4d724fef9ea37290641384edf23260c152f6a3f5491d7b
SSDEEP

3145728:PwyrS6jEpcXAo8UXvOuiMPNGsLE7Ji4SMl5:PwyrfjXQHUX2MP4Xb

Score

10^/10

ploutus agilenet atm backdoor discovery

Malware Config

Signatures

Detected Ploutus loader 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Abdal FTP BruteForce.exe	family_ploutus

Ploutus
Ploutus is an ATM malware written in C#.
backdoor atm ploutus
Executes dropped EXE 1 IoCs

Processes:

Abdal FTP BruteForce.exe

pid process

2420 Abdal FTP BruteForce.exe

pid	process
2420	Abdal FTP BruteForce.exe

Loads dropped DLL 46 IoCs

Processes:

Abdal FTP BruteForce 1.0.exeMsiExec.exeMsiExec.exeAbdal FTP BruteForce.exe

pid	process
2168	Abdal FTP BruteForce 1.0.exe
2168	Abdal FTP BruteForce 1.0.exe
2920	MsiExec.exe
2920	MsiExec.exe
2920	MsiExec.exe
2920	MsiExec.exe
2920	MsiExec.exe
2920	MsiExec.exe
2920	MsiExec.exe
2920	MsiExec.exe
2920	MsiExec.exe
2920	MsiExec.exe
2932	MsiExec.exe
2932	MsiExec.exe
2932	MsiExec.exe
2168	Abdal FTP BruteForce 1.0.exe
2932	MsiExec.exe
2932	MsiExec.exe
2932	MsiExec.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Bunifu.UI.WinForms.BunifuButton.dll	agile_net
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Bunifu.UI.WinForms.BunifuFormDock.dll	agile_net
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Bunifu_UI_v1.5.3.dll	agile_net

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Abdal FTP BruteForce 1.0.exeAbdal FTP BruteForce 1.0.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\T:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\W:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\X:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\X:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\I:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\I:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\O:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\P:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\W:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\A:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\T:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\Z:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\K:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\S:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\B:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\E:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\Y:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\M:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\U:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\O:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\G:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\V:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\Q:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\M:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\L:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\N:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\R:	Abdal FTP BruteForce 1.0.exe
File opened (read-only)	\??\Z:	Abdal FTP BruteForce 1.0.exe

Drops file in Program Files directory 23 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Telerik.WinControls.Themes.Windows8.dll	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\TelerikCommon.dll	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Abdal FTP BruteForce.exe.config	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Bunifu.UI.WinForms.BunifuFormDock.dll	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Bunifu_UI_v1.5.3.dll	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\password.txt	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Telerik.WinControls.dll	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Telerik.WinControls.Themes.VisualStudio2012Dark.dll	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\pass-foun.wav	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\start.wav	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Telerik.WinControls.UI.dll	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Telerik.WinControls.UI.xml	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Abdal FTP BruteForce.exe	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Abdal FTP BruteForce.pdb	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\done.wav	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\error.wav	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Telerik.WinControls.xml	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Telerik.WinControls.Themes.FluentDark.dll	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\ab-us.wav	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Bunifu.UI.WinForms.BunifuButton.dll	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\cancel.wav	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\ChilkatDotNet47.dll	msiexec.exe
File created	C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\nsoftware.IPWorks.dll	msiexec.exe

Drops file in Windows directory 18 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI6FE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73EB.tmp	msiexec.exe
File created	C:\Windows\Installer\f786f09.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7479.tmp	msiexec.exe
File created	C:\Windows\Installer\f786f0b.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI6F56.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f786f09.ipi	msiexec.exe
File created	C:\Windows\Installer\f786f08.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI70CF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7536.tmp	msiexec.exe
File created	C:\Windows\Installer\{5D7FEE9E-8F0E-4963-8A8E-33051368B233}\logo512.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{5D7FEE9E-8F0E-4963-8A8E-33051368B233}\logo512.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7499.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f786f08.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MsiExec.exeAbdal FTP BruteForce 1.0.exeMsiExec.exeAbdal FTP BruteForce.exeAbdal FTP BruteForce 1.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abdal FTP BruteForce 1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abdal FTP BruteForce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abdal FTP BruteForce 1.0.exe

System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
discovery

System Time Discovery
T1124

Processes:

Abdal FTP BruteForce 1.0.exe

pid process

2988 Abdal FTP BruteForce 1.0.exe

pid	process
2988	Abdal FTP BruteForce 1.0.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E9E257BC6EECB5440AEE04FE7493CB6C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Abdal Security Group\\Abdal FTP BruteForce 1.0\\install\\368B233\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E9EEF7D5E0F83694A8E8335031862B33	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\PackageCode = "3C75FF5DE137AFA4BBA469D837BB0CB4"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\ProductIcon = "C:\\Windows\\Installer\\{5D7FEE9E-8F0E-4963-8A8E-33051368B233}\\logo512.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\SourceList\PackageName = "Abdal FTP BruteForce.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E9EEF7D5E0F83694A8E8335031862B33\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\ProductName = "Abdal FTP BruteForce"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Abdal Security Group\\Abdal FTP BruteForce 1.0\\install\\368B233\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9EEF7D5E0F83694A8E8335031862B33\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E9E257BC6EECB5440AEE04FE7493CB6C\E9EEF7D5E0F83694A8E8335031862B33	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2560 msiexec.exe
2560 msiexec.exe

pid	process
2560	msiexec.exe
2560	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeAbdal FTP BruteForce 1.0.exe

description	pid	process
Token: SeRestorePrivilege	2560	msiexec.exe
Token: SeTakeOwnershipPrivilege	2560	msiexec.exe
Token: SeSecurityPrivilege	2560	msiexec.exe
Token: SeCreateTokenPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeAssignPrimaryTokenPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeLockMemoryPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeIncreaseQuotaPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeMachineAccountPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeTcbPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeSecurityPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeTakeOwnershipPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeLoadDriverPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeSystemProfilePrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeSystemtimePrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeProfSingleProcessPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeIncBasePriorityPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeCreatePagefilePrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeCreatePermanentPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeBackupPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeRestorePrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeShutdownPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeDebugPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeAuditPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeSystemEnvironmentPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeChangeNotifyPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeRemoteShutdownPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeUndockPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeSyncAgentPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeEnableDelegationPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeManageVolumePrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeImpersonatePrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeCreateGlobalPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeCreateTokenPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeAssignPrimaryTokenPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeLockMemoryPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeIncreaseQuotaPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeMachineAccountPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeTcbPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeSecurityPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeTakeOwnershipPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeLoadDriverPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeSystemProfilePrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeSystemtimePrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeProfSingleProcessPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeIncBasePriorityPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeCreatePagefilePrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeCreatePermanentPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeBackupPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeRestorePrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeShutdownPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeDebugPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeAuditPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeSystemEnvironmentPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeChangeNotifyPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeRemoteShutdownPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeUndockPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeSyncAgentPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeEnableDelegationPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeManageVolumePrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeImpersonatePrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeCreateGlobalPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeCreateTokenPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeAssignPrimaryTokenPrivilege	2168	Abdal FTP BruteForce 1.0.exe
Token: SeLockMemoryPrivilege	2168	Abdal FTP BruteForce 1.0.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Abdal FTP BruteForce 1.0.exe

pid process

2168 Abdal FTP BruteForce 1.0.exe
2168 Abdal FTP BruteForce 1.0.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Abdal FTP BruteForce.exe

pid process

2420 Abdal FTP BruteForce.exe
2420 Abdal FTP BruteForce.exe

pid	process
2420	Abdal FTP BruteForce.exe
2420	Abdal FTP BruteForce.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

msiexec.exeAbdal FTP BruteForce 1.0.exe

description	pid	process	target process
PID 2560 wrote to memory of 2920	2560	msiexec.exe	MsiExec.exe
PID 2560 wrote to memory of 2920	2560	msiexec.exe	MsiExec.exe
PID 2560 wrote to memory of 2920	2560	msiexec.exe	MsiExec.exe
PID 2560 wrote to memory of 2920	2560	msiexec.exe	MsiExec.exe
PID 2560 wrote to memory of 2920	2560	msiexec.exe	MsiExec.exe
PID 2560 wrote to memory of 2920	2560	msiexec.exe	MsiExec.exe
PID 2560 wrote to memory of 2920	2560	msiexec.exe	MsiExec.exe
PID 2168 wrote to memory of 2988	2168	Abdal FTP BruteForce 1.0.exe	Abdal FTP BruteForce 1.0.exe
PID 2168 wrote to memory of 2988	2168	Abdal FTP BruteForce 1.0.exe	Abdal FTP BruteForce 1.0.exe
PID 2168 wrote to memory of 2988	2168	Abdal FTP BruteForce 1.0.exe	Abdal FTP BruteForce 1.0.exe
PID 2168 wrote to memory of 2988	2168	Abdal FTP BruteForce 1.0.exe	Abdal FTP BruteForce 1.0.exe
PID 2168 wrote to memory of 2988	2168	Abdal FTP BruteForce 1.0.exe	Abdal FTP BruteForce 1.0.exe
PID 2168 wrote to memory of 2988	2168	Abdal FTP BruteForce 1.0.exe	Abdal FTP BruteForce 1.0.exe
PID 2168 wrote to memory of 2988	2168	Abdal FTP BruteForce 1.0.exe	Abdal FTP BruteForce 1.0.exe
PID 2560 wrote to memory of 2932	2560	msiexec.exe	MsiExec.exe
PID 2560 wrote to memory of 2932	2560	msiexec.exe	MsiExec.exe
PID 2560 wrote to memory of 2932	2560	msiexec.exe	MsiExec.exe
PID 2560 wrote to memory of 2932	2560	msiexec.exe	MsiExec.exe
PID 2560 wrote to memory of 2932	2560	msiexec.exe	MsiExec.exe
PID 2560 wrote to memory of 2932	2560	msiexec.exe	MsiExec.exe
PID 2560 wrote to memory of 2932	2560	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Abdal FTP BruteForce 1.0.exe
"C:\Users\Admin\AppData\Local\Temp\Abdal FTP BruteForce 1.0.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\Abdal FTP BruteForce 1.0.exe
"C:\Users\Admin\AppData\Local\Temp\Abdal FTP BruteForce 1.0.exe" /i "C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\Abdal FTP BruteForce.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce" SECONDSEQUENCE="1" CLIENTPROCESSID="2168" CHAINERUIPROCESSID="2168Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" AGREE_CHECKBOX="Yes" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_FOUND_PREREQS=".NET Framework 4.7.2" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Abdal FTP BruteForce 1.0.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1722896809 " AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Abdal FTP BruteForce 1.0.exe" AI_INSTALL="1" TARGETDIR="C:\"
2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:2988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 15DD84D05120F5D4D9478652DC85A181 C
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2920

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 24A3C1D25EA02746D2F81534B9CEC253
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2600

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004C4" "0000000000000060"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1228

C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Abdal FTP BruteForce.exe
"C:\Program Files (x86)\Abdal Security Group\Abdal FTP BruteForce\Abdal FTP BruteForce.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1c0
1⤵
PID:1920

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f786f0a.rbs
Filesize
13KB

MD5
9583af9e1ae4922544de8d2338c9e7a1

SHA1
31eb763bb5487aa316cf96223f1f6db34c7631e8

SHA256
8fc829bdf8ab89534713ebf9496f142a2a1bc31c3105f1aca53320722685259a

SHA512
f46fc6cef051447a56b8cfd51ba21abb9bffc58726bd7d8d53f29cec84a4f006453450afd853ba14a3e49d989117510e68a58bac3a6802d78a593baa9238bff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\PreparePrereqDlgProgress.gif
Filesize
24KB

MD5
f550f449baed1315c7965bd826c2510b

SHA1
772e6e82765dcfda319a68380981d77b83a3ab1b

SHA256
0ee7650c7faf97126ddbc7d21812e093af4f2317f3edcff16d2d6137d3c0544d

SHA512
7608140bc2d83f509a2afdaacd394d0aa5a6f7816e96c11f4218e815c3aaabf9fc95dd3b3a44b165334772ebdab7dfa585833850db09442743e56b8e505f6a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\ProgressImage.png
Filesize
173B

MD5
6bbc544a9fa50b6dc9cd6c31f841548e

SHA1
e63ffd2dd50865c41c564b00f75f11bd8c384b90

SHA256
728c6cc4230e5e5b6fdf152f4b9b11ac4d104fa57a39668edea8665527c3bcc2

SHA512
2cf43d3a3f2e88805824e4c322832af21c4c49d5309387aa731ddbea8cc280a6049cab4526e20b1c87c39c8781168c5ff80083c94becf0984b94593b89ab77f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\backbutton
Filesize
404B

MD5
50e27244df2b1690728e8252088a253c

SHA1
b84ad02fd0ed3cb933ffbd123614a2495810442b

SHA256
71836c56ec4765d858dc756541123e44680f98da255faf1ece7b83d79809b1c3

SHA512
ba3d3535bfd2f17919e1a99e89fdb1c9a83507ff3c2846c62770e210a50aee1281445d510858d247cc9619861089aaf20f45b0b7c39f15c0ea039ac5498fa03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\backgroundprepare
Filesize
134B

MD5
a0efb0e7b9cee25b09e09a1a64e96ba6

SHA1
0c1e18f6f5e6e5e6953e9fb99ca60fdec35d6e39

SHA256
f044f542bc46464054084c63596877f06c6e2c215c0e954c4ace9787ced82787

SHA512
7e53f9f564aaa529b3b15035671957c2923ec98ddee93758ea7a4c8645ee9058962078771b853e3490290fde1f57030dff5092d40d69418776ffee89f79c8a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\browsebutton
Filesize
253B

MD5
9554be0be090a59013222261971430ad

SHA1
9e307b13b4480d0e18cfb1c667f7cfe6c62cc97c

SHA256
f4302ee2090bc7d7a27c4bc970af6eb61c050f14f0876541a8d2f32bc41b9bab

SHA512
ac316f784994da4fed7deb43fe785258223aba5f43cc5532f3e7b874adc0bc6dbcd8e95e631703606dfaa2c40be2e2bb6fa5bc0a6217efe657e74531654ea71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\checkbox
Filesize
1KB

MD5
66b8edd5c8d3c2a537edb010936dda68

SHA1
13d17a6cf6abd165defa6a932fac119e1f596af4

SHA256
787b6e964ce0b74d08c69e3c4fccd44afda06d473fd74a876a3ec2bd257684d4

SHA512
70142e2d4f48157108b240a7b09779f18a45f7267ae9dd8e7ebcb9544d71ffc45e2e273103e27d911607705e1920afdfefa45c3d01698cc807f37f71d99d1b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\frame_bottom_left.bmp
Filesize
66B

MD5
1fb3755fe9676fca35b8d3c6a8e80b45

SHA1
7c60375472c2757650afbe045c1c97059ca66884

SHA256
384ebd5800becadf3bd9014686e6cc09344f75ce426e966d788eb5473b28aa21

SHA512
dee9db50320a27de65581c20d9e6cf429921ebee9d4e1190c044cc6063d217ca89f5667dc0d93faf7dcc2d931fe4e85c025c6f71c1651cbd2d12a43f915932c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\frame_bottom_left_inactive.bmp
Filesize
66B

MD5
821930553ef406b0c82d9420d3351c78

SHA1
8511c65f0048f8f30797a13b3d7d8264c314cbd4

SHA256
d5e9f3533cb7d727611aafaa5af22fa07efeaec0391a011ecf9803bed867de7a

SHA512
9d55bb01e40bb411321e60fbb1e60748a7243392456030d81f853448af0af75e27ef87455ad1eebf96af754e803aabd1a82f0653deda52832769f5b74171d9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\frame_bottom_mid.bmp
Filesize
66B

MD5
71fa2730c42ae45c8b373053cc504731

SHA1
ef523fc56f6566fbc41c7d51d29943e6be976d5e

SHA256
205209facdebf400319dbcb1020f0545d7564b9415c47497528593e344795afd

SHA512
ea4415619720cc1d9fb1bb89a14903bfd1471b89f9c4847df4839084aae573d49b4969d3799ad30ff25b71f6e31f8d9f30701e1240d3cd6a063819c04873f21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\frame_caption.bmp
Filesize
206B

MD5
8641f45594b8d413bf1da25ce59f1207

SHA1
afebb23f5a55d304d028ca9942526b3649cddb52

SHA256
0403ed31d75dcc182dd98f2b603da4c36b6325e9d159cac4371e1448244bb707

SHA512
86a5f959f8462f866466dc706d3ae627b1fb019b8a33ee7fe48e3b69f92bf33dc0f1417c0d5116552b25b488bcb5d9050a33773e6883ebe08410267d95b2353a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\frame_left.bmp
Filesize
66B

MD5
30384472ae83ff8a7336b987292d8349

SHA1
85d3e6cffe47f5a0a4e1a87ac9da729537783cd0

SHA256
f545ec56bc9b690a6b952471669a8316e18274d64e2ebc9e365fcf44363a125a

SHA512
7611f930a0a1089cc5004203ec128c916f0c2aedae3a6fcc2eaffa8cd004dcbf154714e401947921a06896ca77c77daec7f9bda82369aacd3bb666f8a0331963

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\frame_left_inactive.bmp
Filesize
66B

MD5
4b84f29fbce81aab5af97a311d0e51e2

SHA1
60723cf4b91c139661db5ecb0964deca1fc196ea

SHA256
c93be5a7c979c534274fc1a965d26c126efa5d58c14066b14937e5aba3b9eb55

SHA512
775eadccc44fddbd1e0d4231bc90d222f0a9749199e1963449ad20285ea92941a5685cdc12c0cd8c0ef0a21e10bdacaf139e5c69cd5e402cc110679323c23df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\frame_top_left.bmp
Filesize
154B

MD5
1966f4308086a013b8837dddf88f67ad

SHA1
1b66c1b1ad519cad2a273e2e5b2cfd77b8e3a190

SHA256
17b5cd496d98db14e7c9757e38892883c7b378407e1f136889a9921abe040741

SHA512
ec50f92b77bca5117a9a262ba1951e37d6139b838099e1546ab2716c7bafb0fc542ce7f1993a19591c832384df01b722d87bb5a6a010091fc880de6e5cfa6c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\frame_top_mid.bmp
Filesize
66B

MD5
4e0ac65606b6aacd85e11c470ceb4e54

SHA1
3f321e3bbde641b7733b806b9ef262243fb8af3b

SHA256
1d59fe11b3f1951c104f279c1338fc307940268971d016ebe929a9998a5038ee

SHA512
7b28bcb4e76af3b863a7c3390b6cd3316c4631434e1d1e2df8d6e0eb9987a61a4f1a24de59567394e346d45e332403a0817ed0b0b64d7a624dbe48e30db9bb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\logo512.png
Filesize
161KB

MD5
2a07b0ad020a4aa08da9b7a6f86c0ea9

SHA1
f4f0de150fcc73de683bef901a76ad334c782058

SHA256
d031bd96f8abcd7a64a5e5f96564bab5863aa41cf849a0e9384e3acfd39f58fa

SHA512
7df46b9137f213ebfb6cd86d4c0c3feda0a28380f2cdbe275a491049cb9ba1633ac9affa1600ee01de71195f873865d39e078b7f9306be668c196ae53ba86e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\metrobuttonimage
Filesize
404B

MD5
17368ff7073a6c7c2949d9a8eb743729

SHA1
d770cd409cf1a95908d26a51be8c646cace83e4c

SHA256
16e6e7662f3a204061c18090a64a8679f10bc408be802abd2c7c0e9fe865cbb4

SHA512
cbc3a378335f131d0146e5fe40cea38a741a0754a26304daebfda6f82c394cf0e151654782c6c8c7bbf7c354fcb72a2c66a77a87df528c2a3fa87c88f204059d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\metroinstallbutton
Filesize
520B

MD5
70db38d656afa3778dcf6173d390e61b

SHA1
8b8674d6d70d67943d313d2b74222daa4bd1691d

SHA256
3a0a5b69f9da7cae9fc631326ed8aa97abbaaecf2bf15d0a73169a29f3381e83

SHA512
8888ab493c7342f69b33279eaec4f99c41a906929d65503c48c7059d199fbab267ba9ad6ef6e57a7a56d2a321c01e46008f770afe67fa99ec7b7676ec2376c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\metrorunapplicationbutton
Filesize
3KB

MD5
49ad8e9164fd6facb8a8bfd6f62972b8

SHA1
e23605df242772a047d6d3543aaa72241066abb9

SHA256
914a0241a557591dfdcf3ed1ef0e557ceb153f32c716c53d13342dc5318bbb79

SHA512
843359888242b97b12185954fe6f04bbe8ed14c71f101a79d4863ccdca7d1b03b4e1f0c6cacf26f87a91c5eacb0d4571481bca81a0c3dfd8add475310a6269f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\nextcancelbuttons
Filesize
404B

MD5
583580e2c651f5c230fb3235b7ca0e3b

SHA1
a9bd6aeef43a6f4c0c00d1ecd98a585d7eb0aaa3

SHA256
65172283ee04f2fa18d0e57b21471be2e68017d1f61816aaaa6be070b446346f

SHA512
6c61e6c06c883113a7a0efbd352120354c070f5c17d770b6b821c42cb9d9ca895992842b29b51bd3e569b0c95e93709dd7c1c2a26bcff0ad425079f5302670ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\runapplicationbutton
Filesize
18KB

MD5
f5a120b564fc7823d1c269b7a6e70473

SHA1
1b85466c12f83b7872214f787390614df50eaddb

SHA256
c178ed81de4aa8b049efcf0670c10cf2043a51c6be1144ee95d09c1c2afd6087

SHA512
96d285759f8a8c5d17d7cac4ef224995dfa09554a3687c7f34e63651888c98a9c60095cd1a71c82030781ff6e7d58b7d49068bd9f53126ff7b775579d3368ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\sys_close_down.png
Filesize
273B

MD5
f6a5e71e9cbe8d3654a2cdf91aae98fa

SHA1
8871a1ae25cff6c5a3e6288a58fc5f4d7a92409d

SHA256
4801d63bd9bdc6279765ba785b0da9e10730764a9c3645934a46c691547c0612

SHA512
1b3146dfdef9c46123f27fa355790036f296d600bb10fbad12363c71c8e3a840863512f4a581daa18ffabb3ec5a3720a6337c4bac54be8b9b49d161b9459a1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\sys_close_hot.png
Filesize
276B

MD5
17242d201d004bb34449aab0428d2df1

SHA1
77a332c6a6c4bfc47a2120203cfeabb8a2268a6b

SHA256
15405855866fa2b7c60afbc8ba720aae8f2ba7fb60bfa641dc9d10361e56f033

SHA512
605a97e2614c664417d53263be21c67b1504a46ee61b92b0a84ac18a7baab05eb56b72d4cf27372ae6c157928080ba16e24081e95458eb122ba18f3722c2d21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\sys_close_normal.png
Filesize
225B

MD5
8ba33e929eb0c016036968b6f137c5fa

SHA1
b563d786bddd6f1c30924da25b71891696346e15

SHA256
bbcac1632131b21d40c80ff9e14156d36366d2e7bb05eed584e9d448497152d5

SHA512
ba3a70757bd0db308e689a56e2f359c4356c5a7dd9e2831f4162ea04381d4bbdbef6335d97a2c55f588c7172e1c2ebf7a3bd481d30871f05e61eea17246a958e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\sys_min_down.png
Filesize
205B

MD5
5e947815d865acf099fa753283e09179

SHA1
7d98046d20a73439c53044e0ebb5f0b34afaeea9

SHA256
c1d0663131fe901d890cdd9f18af8f9a553bee4848cbd978f5122e8383b5534b

SHA512
b22e31c37d84128b271c5e5a70fdce90a3bbc02059d1bd032841b3383dbeeca56ec9abe6335453abc8ded1de84e6fcafb648d76d4dcc79246339e9a5eb6d5270

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\sys_min_hot.png
Filesize
180B

MD5
1a883668b735248518bfc4eefd248113

SHA1
1112803a0558a1ad049d1cac6b8a9d626b582606

SHA256
bcbb601daa5a139419f3cd0f6084615574c41b837426ebff561b7846dfec038e

SHA512
d321878ed517544c815fd0236bdff6fcb6da5c5c3658338afba646f1d8f2e246c6c880d4f592ff574a18f9efdf160e5772bbf876fb207c8fd25c1f9dd9ddfd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\sys_min_inactive.png
Filesize
175B

MD5
a2c4802002bb61994faabda60334a695

SHA1
0a2b6b0ceb09425080c5ba4b9cbdef533cf69eba

SHA256
a3b59dbc5a39d551455ff838e71b5820560ca3484c6411b9d69df33d8113619c

SHA512
34e130edc650c3de6020f2d2b5dc1404b7aee0105eb7e315c15c5aa61398d174377e9b6a2aecc55f79f54c04812b8745c6739a201539e291538979e6b024da31

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\sys_min_normal.png
Filesize
238B

MD5
516172d0ebf941237cef32fcee8cdf43

SHA1
6bee117996c16c7413be876dfc15978d14813091

SHA256
56e64eaf6349ece08005e6f7299de413ed00112d53518215d90690be2b2a4f1a

SHA512
46477a58aa7e9eeae29e1c1d826bf045422709b7c8f428985c617b366012c58121d4404523a75efe77fc6d8e061a6bb209743d0a2af81545898f51c8855728ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2168\viewreadmebutton
Filesize
2KB

MD5
c288a7a350a1a5a5eee9ada36cb6011c

SHA1
d1174e488d08dc4ab9bba3fd7653724d5553898f

SHA256
030e5bb7b7fff395c38433516cf96988939cb794d9d62d550d7eab9cef7d2b2e

SHA512
dc7f9486699b4eb4b8295590112b540ed619c2b956948eec3b72fe86226740f43392dd1898d5f27d553e775351c527ac316f4606389b92bedfc996845649a859

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI68F0.tmp
Filesize
379KB

MD5
44a7b7525b79f0debf1b8e974fedd351

SHA1
03baf0d9da00a2b9dfb0818d611956c3ff7b10eb

SHA256
b91626906fbfbf40b95651fa6028a4600b9c55d29f39948a28d7d2debdb31880

SHA512
38aeec4d9e54a0dc459fb299e400b63320c57840afddcc64dbd7ca02f9986525cb442f5eff4c43b681da0aec71fdfa763d00dc72849c01173d719f995514b9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI69EC.tmp
Filesize
568KB

MD5
bb1d68aa6bf943fbd841c1e1695553fe

SHA1
becf40da1dcabe97cababb6c7ff6a74cb6de1c9b

SHA256
b2ce736ec48d6e9247074fbcec33246aad61f4d3ac2007ac4d8bc74ffb8c1342

SHA512
8cb6b2df8d9163f2d0e5cbe128c9c33120c9358c2b453fe2b0b63f1919b731e856c3121af305c916f80b2ddc9eca23201b47151535a8211eae40602a5ccc5be8

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\Abdal FTP BruteForce.msi
Filesize
2.3MB

MD5
29acc11a8dac1d9c01717a50f9c82f58

SHA1
88fbc62722bd9cbd2ce24c0b8109c8516ab3e3b0

SHA256
b5ad0a6a1ccdc011c30c21662c63dd742625f27f46babea7c8a642b23d30c7d4

SHA512
c879270424260bbff356d39265c7f56d0e55771eaa043cff957108f2b6ce9f8924798b5dc114f97d58101964341ce6d03dcec64a74547de090b75e1d8e01177b

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Abdal FTP BruteForce.exe
Filesize
2.0MB

MD5
7bf976861ba2f60fbea80abc25ffa250

SHA1
50445f3dad8451548788f5e5229bf764d0b2ed05

SHA256
5eca87c2c18f6af072bae4f644cbb3e3436338f0eaded5b4fa700fae43b45d27

SHA512
c85b3bb3ee829d620a35b0b4f4026d129becb6602d7df2651f75aa5518777a2949f85e23967bc94a3d30995bff606347d50512ffe644d1d6fcb2714b8dd9b926

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Abdal FTP BruteForce.exe.config
Filesize
622B

MD5
c7b3d39b8db850da0dab06f2891f6327

SHA1
91e48d653e526744e57eb0c232f381a52316eee0

SHA256
cb762307d033f64b10af40852bdae1ca042ccbbb42e1b4cb8b9730c09160e29e

SHA512
3e36e9dad098a61f36bef6d3321c75720f56fd6a7ad7e8e33be2315f61d1ee661dc66dd73611c776eb2cae4dcaed24bc94bcc785188ef272c6eba8ee16e8bc2b

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Abdal FTP BruteForce.pdb
Filesize
89KB

MD5
1105dbbaecb39cbf7f65202d55078e3b

SHA1
5ecf6e3e6ad2026f5eae8146f14e9040c9d984c8

SHA256
48a75497f0cfafb6d3d66100d7dddb47fae46b238fa147c7e63714c2b0ee6ac7

SHA512
68f7a3d93c3aeea05892d7b2ccb73144c3c2f8e09f56c04f2e6d65bcd406192aadafde6e83c568233bb090d6cffc66983b94deaf698763e5028f16eafb2c7f93

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Bunifu.UI.WinForms.BunifuButton.dll
Filesize
118KB

MD5
e5084eefa8fcd0e266c606e9407e45fb

SHA1
ff091d68e16d44a31d7cdb12c80921d1ed24ff06

SHA256
ca81fd4385f0673b2564f1585ef41678986ff16ca84e07a97dc66924aecd2e2d

SHA512
e1ab7f812971baf769850e13a5e699fafd291583785891fd47f1c6a878feaeef1f359362544accc9c2c563b747e751c740fd36f1796dcfa5c33b7ba7e068728a

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Bunifu.UI.WinForms.BunifuFormDock.dll
Filesize
166KB

MD5
0941cd33a56543e098074253ebb3506f

SHA1
ca5cc60a03611c824490108f3daf2a74e4dfe88c

SHA256
dc5f1c6c29adc2605f5972e76b65e008c1cb8e8507e6403afee6e86f9ea047eb

SHA512
e9b42a4c0e5e99735594f3db45b6817113937485424a98e850733ce751b1888fb142765f15ca498240910cbd3edf30122d561814c3a9b6344be6d7c6efc8046f

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Bunifu_UI_v1.5.3.dll
Filesize
390KB

MD5
441527aa29607afd38fbc4a322304798

SHA1
57a409e77ded4682e263c47695e4c38489ccc05d

SHA256
d7f3b0a3c954ff6c2e62396a76354afb9102eac75f771479b388bacf399a453b

SHA512
42f4ae65d07ddc76fda8b02a97c3908d4c64ae8b25767094f863b5f9c11b073cdbd4b9f56bc5968ac92daec343568291d7d39b4e478682f5157d5f6549cf8790

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\ChilkatDotNet47.dll
Filesize
8.8MB

MD5
a9c60f48f16541f262f91af1b7eace34

SHA1
46a996bc8b2489b115498e702737c2820b0cbed6

SHA256
7b32fc87fb96b426ca1d0c859bf722a8f73a04a7e73500aa71ebae654863d445

SHA512
2ca9433ec79a0027de9271c2da5ea3f0026b48cddbfae438aef800319a60742e5085931de30bdf3db11d9ef558cfd70c7a7a0547fc5b55cc83d9d230445e8b03

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Telerik.WinControls.Themes.FluentDark.dll
Filesize
231KB

MD5
5e3bad161151bfd23ef09985b7996b7d

SHA1
60c08a7a37a61c9ab7673c237dec9a5661e15f50

SHA256
b86b17dba9f9c2c87e8464b5a47bfb66aff19dacc1062a6ab89ee53d7b44312b

SHA512
4e7e8d4cf216628c4830a531bf5cba51e9af9561d15d92ae241346785e5a32ab6c474e62503197d99d5b54474322261ec68d80bc7aab1385798bce1de24817e6

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Telerik.WinControls.Themes.VisualStudio2012Dark.dll
Filesize
259KB

MD5
df3f551e106c16f9205d1994187efd7e

SHA1
13a8710db56c8d04c3728237b5513da122fa0058

SHA256
b6384da2db756083c014205b1dcd9260baaccb7a4c83a33e2c2bedce1521c958

SHA512
e14e2f73456cd66c0afa4085721c815341fe93fabe73c49bb14c45a1ec317f9e44c11f4781857ccd3324f278856b0f74fee6d61e9fcfd02a6e5b51fde2ce4c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Telerik.WinControls.Themes.Windows8.dll
Filesize
259KB

MD5
152d886b60e07adfadd3864dda9198ce

SHA1
ba76d202813f5039c8e639799ce9e35383feb595

SHA256
e5b3d8c0cd787842469c3af1ecaa7fd338557ade687feda815ea46665f17bd2b

SHA512
8b7324f67adda2d6fca966756d3ad54cea1481795ca244caf7e4b35bebc03cef2bd5dfd097fb4e0d8c39850b25567445dcd7b60ffc4667a7f87f89c07b32f790

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Telerik.WinControls.UI.dll
Filesize
6.6MB

MD5
4f4246307795f0720126aede580f6e25

SHA1
e0ecd802924d2d01e3e0f7f2f0844b245d5664db

SHA256
340b1e0cf28c5acf2a35fd68cce8eca955b13e2e3856924ec7010dc5ab33929d

SHA512
5fbc2654c22000f16b5caca83e1ef18e3926a7f0fb4055cf6ae45555a7552d283ff2890d13274e72efda41cd7fb3f6a36d4a1dd478310358dd377e00baeabfa6

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Telerik.WinControls.UI.xml
Filesize
4.0MB

MD5
47b2b9ebbb881d0d43951685071e6830

SHA1
753b615f220abb3bb6a20e7d53536ffe95002744

SHA256
b2d54317303f128757a9c623718959afc9e8ea1cb2ddcbac028402467e9e8141

SHA512
857f501224a2a9189d73a27c51b29f352c3ab1e1ef754e855192eadafaf1a994f828b5f1cc3a47f9f1c06a272a798cd22c4058c8b54f8dd5242f82caff8e7721

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Telerik.WinControls.dll
Filesize
4.6MB

MD5
07d33d36b0622bb8b733eda26be49820

SHA1
68043af4b45668bd2e8612e56b764ec6e561ed42

SHA256
deeeed5d028c5180fccf19db64c4d30026f7a273b58d1774209d7f54428a3049

SHA512
16d2374457689acbe084206777d08f42b9c811442e375d082212834a5827f365078cf75f3fab7a3e5553dfcbe88d7a9809cbf7b0337122e7a57c5ae741877125

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\Telerik.WinControls.xml
Filesize
1.2MB

MD5
115e98f010d11a51b56356264d7b7427

SHA1
39b2c987bd0da0059ac84314e6f37c3059113c12

SHA256
76095bb96c7204314b03965b0cf7877d219286ab8b99627a5022b092f7f6c71d

SHA512
139cc042a2fed3b746c462b003aa2c4f87c8d8a1ca3f6a8346f9e7820074402e6b4b0d8a2f6b76bf949a7d51d1205a2339cdfaca8cfdc93f75e8cc211e5f636e

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\TelerikCommon.dll
Filesize
892KB

MD5
089098628bd484650d2fc8551c606c44

SHA1
b8b45370b643a7f6a81c270f3d81ca84bd0849de

SHA256
526cdad144861612c9204c2d07f008b0668e413d4be922b2c5893f8ce1c035d3

SHA512
ae462a88ff5266f6d4000e131e3f83804e5ef9eee9bb69fc0ab2932135ac14994fc97e5b4a4d021fde190c649054f3c592223c884751da4f3b05a2923090e95d

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\ab-us.wav
Filesize
23.9MB

MD5
87bfe4449018e25699b9a6a39a104eaa

SHA1
90976923ea919840a9020b58b500de449e446c46

SHA256
d64f29af73dd041b288e456b16314a0d35d5e1a2b28f52469bccb0b69fe4810d

SHA512
eda95c86a4793848500c9ab2acff870cec1f866b1e7e3309a1ec411e688b8e8f78f287e8018c209c71064a32a32705a5900fb3ccc0b7065fa2b4e078b752b9bc

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\cancel.wav
Filesize
52KB

MD5
181afaa4983631d90bc004d31d9e71f6

SHA1
ccd7af6cc84b9510bdaebc501743c3cb80690d31

SHA256
fbe03f296797aa2156c0cb96e8bd46b5429f73123a7a28bdd2336005f856a4dd

SHA512
b9445dbf86c0d97449cafc771333e99337d9b9ef3a025763d882c470869935dc659596dafbd68421e745e366ed0c2bf2864f967cd273fad78a827ccc0a189ec2

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\done.wav
Filesize
4KB

MD5
b33c2e9945cd65126835f855fa45cd4e

SHA1
439d522c3ec950a3710bcc03d3fe91ac21a96c40

SHA256
a0b42abfc5ae91787fccbdf196fcdd9380179951477c6b61ca3f59021bd1a98e

SHA512
977c4f5796e3252a56983d06cdbb38946fdefa54514aa2bcecd5ae64e5f3e09bf405e15578e1bc755366a2f4cb9c1c6b06d72d78659031f8af7db1ab55821d82

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\error.wav
Filesize
94KB

MD5
61e0471b76447bf6695a19ff73dc3954

SHA1
3bff596218a7597450202f29379245ecfc21b7e8

SHA256
09032ff96d3e5e59b386836af89a3a4f2eefbc63fa330208e0eaa147560521de

SHA512
96cef1cd43e2f243c07554bc77f8e78947b9862be7a0555af11ab8be8c6d95ea6fd119aea99abce54a778dc1d141e90ad8f600e7ea74df808a67d05c213d1269

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\nsoftware.IPWorks.dll
Filesize
3.4MB

MD5
2f10e19468d1dc2515ebfec2a11dd19e

SHA1
cb57e24c1f2b4f8a1d20cc236eb2c8209170b651

SHA256
b8bf4f21e199f06c5b4f8e751a61e55aeb8456c4ebd4ec2a49eca914e3824664

SHA512
dd1c085bc07d8e8bbd98fbd673e853eef519761659eb9578b6514adfdc381cef783eeafa031fa1f547b7fe81a5229b1ae1f0dd60b4daa8f5524bccb496c469fb

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\pass-foun.wav
Filesize
175KB

MD5
31e437b5b2cd66513e91aa84572ae90d

SHA1
627ec9f29e015b0cc51fc2564adcc5cb1d314661

SHA256
029f41a4a1a75ef86cf7f6bdc0e66ed12e3c1b2eb69c7d48ba8dca2c1465a221

SHA512
eafd898016765605d23f3e963bb143abe9a6170af6b4538e4d23f01a9f7df4e52b6273540a4711d77cf01faeada0da03b62d33532f8850180f45afe883bb78c6

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\password.txt
Filesize
28KB

MD5
5b4c8e4257fc38a0c90292ecaaaf83af

SHA1
6d368f701e7522e9018368504c8615ac3a5a1258

SHA256
33eeb4ea6ad9d5ec40a846ce4fba5753f7a163aaa59b44f58393ff7f704d9652

SHA512
f9f6734a5d2d8eb96dd15b9fd64bc0cd50ff47f8004633a484e650f2666b9aad24c8d29ac0dc41fac13b1d78c43aca8fd3407f6dbe95aa4f7ce14d8a5e793b93

Download Submit
C:\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\368B233\ProgramFilesFolder\Abdal Security Group\Abdal FTP BruteForce\start.wav
Filesize
129KB

MD5
bf1a18f8bfbda034cf974e63ca59de25

SHA1
122b4370d3f118ce3a9b49c32c3b5d00083c3e39

SHA256
055a2a8c3aebd1c3768b9b2119fbee311a52db1e247507dc2954f46d22886106

SHA512
bfc9d33661bd21052acaea90c8cf233d3038f5e9a568f0ab636e74243ae6fb95b6415db84f2a3f9cdce4e68a9a9b5fb1f015d507bbb7732e51a853f061cc5ef7

Download Submit
C:\Windows\Installer\MSI7499.tmp
Filesize
269KB

MD5
d539bed2508178db9a026abb2a259f68

SHA1
c7e6fa3fa651d9d40e451f38e0a9bc4e4ccc3aa6

SHA256
a362672cd32caa3e5b4733426761154dfc036ebcd0656d5203fdcb20efbb2152

SHA512
4f1b0534e69d4a7d6b120549dc63ef1a55852e233ab27b908c8be96a85f8359dbf2f74ba7e97b06239bd7783b6f0a0c40726b29d0b638dff5cc39e5e4a75f7e7

Download Submit
\Users\Admin\AppData\Roaming\Abdal Security Group\Abdal FTP BruteForce 1.0\install\decoder.dll
Filesize
202KB

MD5
a4f3eb01f1780e82360ca36510da2537

SHA1
e930449e1b5dc94e062e5ead80cdeacf164a682c

SHA256
be29096f6adb99abd29f99e0966bc9aa0f242cb46a03d5592f4a5fbeaf2f6cee

SHA512
cdd9d6b27ab488f4bb29ced7d8ebd8e9f62c79d17fbc3ff9fbde449035d5539138025826acfeb4d8528c81c9009c6e95e242639ee75d443c3a31d8ba1a4fedf9

Download Submit
memory/2168-279-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2168-0-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2420-560-0x00000000011D0000-0x00000000013CE000-memory.dmp

Filesize
2.0MB

Download
memory/2420-563-0x0000000004C10000-0x00000000052A4000-memory.dmp

Filesize
6.6MB

Download
memory/2420-564-0x00000000057B0000-0x0000000005C56000-memory.dmp

Filesize
4.6MB

Download
memory/2420-565-0x0000000005F40000-0x0000000006026000-memory.dmp

Filesize
920KB

Download
memory/2420-566-0x0000000005660000-0x00000000056A8000-memory.dmp

Filesize
288KB

Download
memory/2420-567-0x000000000A1F0000-0x000000000AABC000-memory.dmp

Filesize
8.8MB

Download
memory/2420-568-0x000000000AAC0000-0x000000000AB08000-memory.dmp

Filesize
288KB

Download
memory/2420-569-0x000000000AB10000-0x000000000AB50000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads