neshta | 6131f59ade95f5aaf4f78c1cbd31f033ae508bae3418d30ad9b7e35e3f96beb6

Analysis

max time kernel
1730s
max time network
1818s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25-10-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Find Wallet v3.2-Crack.exe
Size

3.6MB
MD5

a5aad19f2467992040dce284a1d34016
SHA1

9bf000680f2870272ba9f0403ca4dc526fb7c16c
SHA256

6131f59ade95f5aaf4f78c1cbd31f033ae508bae3418d30ad9b7e35e3f96beb6
SHA512

826ba74121fc2da46e5c2c84bd758b367febbb90ff408abc723c4e7add75a8b3991fa21f19eae884b1979d9fe845d6fa5ef68a33c4a815c0d90bc58b83ef3d47
SSDEEP

24576:E8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tsbV:E8j/MW+ise8IW4rF5ovXy6t7BQj1PU

Score

10^/10

neshta stormkitty collection discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 41 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	family_neshta
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
behavioral1/memory/4672-137-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
behavioral1/memory/2100-314-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2720-345-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2100-355-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2720-356-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2100-357-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2720-358-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2100-388-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2720-389-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2720-394-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2100-391-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\Find Wallet v3.2-Crack.exe	family_stormkitty
C:\Users\Admin\AppData\Roaming\Client.exe	family_stormkitty
behavioral1/memory/4504-32-0x00000000009E0000-0x0000000000A36000-memory.dmp	family_stormkitty

Executes dropped EXE 5 IoCs

Processes:

Find Wallet v3.2-Crack.exesvchost.comClient.exesvchost.comFINDWA~1.EXE

pid process

2748 Find Wallet v3.2-Crack.exe
4672 svchost.com
4504 Client.exe
2720 svchost.com
4776 FINDWA~1.EXE

pid	process
2748	Find Wallet v3.2-Crack.exe
4672	svchost.com
4504	Client.exe
2720	svchost.com
4776	FINDWA~1.EXE

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

Find Wallet v3.2-Crack.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Find Wallet v3.2-Crack.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

Processes:

Client.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Desktop\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Documents\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Downloads\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Pictures\desktop.ini	Client.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 freegeoip.app
17 api.ipify.org
18 api.ipify.org
19 ip-api.com
1 freegeoip.app

flow	ioc
3	freegeoip.app
17	api.ipify.org
18	api.ipify.org
19	ip-api.com
1	freegeoip.app

Drops file in Program Files directory 64 IoCs

Processes:

svchost.comFind Wallet v3.2-Crack.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	Find Wallet v3.2-Crack.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com

Drops file in Windows directory 5 IoCs

Processes:

svchost.comsvchost.comFind Wallet v3.2-Crack.exe

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	Find Wallet v3.2-Crack.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

FINDWA~1.EXEFind Wallet v3.2-Crack.exeFind Wallet v3.2-Crack.exesvchost.comClient.exesvchost.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FINDWA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Find Wallet v3.2-Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Find Wallet v3.2-Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Client.exe

Modifies registry class 2 IoCs

Processes:

Find Wallet v3.2-Crack.exeFind Wallet v3.2-Crack.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Find Wallet v3.2-Crack.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	Find Wallet v3.2-Crack.exe

Opens file in notepad (likely ransom note) 4 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

4368 NOTEPAD.EXE
4228 NOTEPAD.EXE
4888 NOTEPAD.EXE
3136 NOTEPAD.EXE

pid	process
4368	NOTEPAD.EXE
4228	NOTEPAD.EXE
4888	NOTEPAD.EXE
3136	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Client.exe

pid	process
4504	Client.exe
4504	Client.exe
4504	Client.exe
4504	Client.exe
4504	Client.exe
4504	Client.exe
4504	Client.exe
4504	Client.exe
4504	Client.exe
4504	Client.exe
4504	Client.exe
4504	Client.exe
4504	Client.exe
4504	Client.exe
4504	Client.exe
4504	Client.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client.exeFINDWA~1.EXE

description pid process

Token: SeDebugPrivilege 4504 Client.exe
Token: SeDebugPrivilege 4776 FINDWA~1.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

FINDWA~1.EXE

pid process

4776 FINDWA~1.EXE

description	pid	process
Token: SeDebugPrivilege	4504	Client.exe
Token: SeDebugPrivilege	4776	FINDWA~1.EXE

pid	process
4776	FINDWA~1.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Find Wallet v3.2-Crack.exeFind Wallet v3.2-Crack.exesvchost.comsvchost.com

description	pid	process	target process
PID 2100 wrote to memory of 2748	2100	Find Wallet v3.2-Crack.exe	Find Wallet v3.2-Crack.exe
PID 2100 wrote to memory of 2748	2100	Find Wallet v3.2-Crack.exe	Find Wallet v3.2-Crack.exe
PID 2100 wrote to memory of 2748	2100	Find Wallet v3.2-Crack.exe	Find Wallet v3.2-Crack.exe
PID 2748 wrote to memory of 4672	2748	Find Wallet v3.2-Crack.exe	svchost.com
PID 2748 wrote to memory of 4672	2748	Find Wallet v3.2-Crack.exe	svchost.com
PID 2748 wrote to memory of 4672	2748	Find Wallet v3.2-Crack.exe	svchost.com
PID 4672 wrote to memory of 4504	4672	svchost.com	Client.exe
PID 4672 wrote to memory of 4504	4672	svchost.com	Client.exe
PID 4672 wrote to memory of 4504	4672	svchost.com	Client.exe
PID 2748 wrote to memory of 2720	2748	Find Wallet v3.2-Crack.exe	svchost.com
PID 2748 wrote to memory of 2720	2748	Find Wallet v3.2-Crack.exe	svchost.com
PID 2748 wrote to memory of 2720	2748	Find Wallet v3.2-Crack.exe	svchost.com
PID 2720 wrote to memory of 4776	2720	svchost.com	FINDWA~1.EXE
PID 2720 wrote to memory of 4776	2720	svchost.com	FINDWA~1.EXE
PID 2720 wrote to memory of 4776	2720	svchost.com	FINDWA~1.EXE

outlook_office_path 1 IoCs

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

outlook_win_path 1 IoCs

Processes:

Client.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\3582-490\Find Wallet v3.2-Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\Find Wallet v3.2-Crack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\Client.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Users\Admin\AppData\Roaming\Client.exe
      C:\Users\Admin\AppData\Roaming\Client.exe
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:4504
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\FINDWA~1.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Roaming\FINDWA~1.EXE
      C:\Users\Admin\AppData\Roaming\FINDWA~1.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2948

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Find Wallet v3.2-Crack.exe.log
1⤵
- Opens file in notepad (likely ransom note)
PID:3136

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Find Wallet v3.2-Crack.exe.log
1⤵
- Opens file in notepad (likely ransom note)
PID:4368

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Find Wallet v3.2-Crack.exe.log
1⤵
- Opens file in notepad (likely ransom note)
PID:4228

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
1⤵
- Opens file in notepad (likely ransom note)
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
09acdc5bbec5a47e8ae47f4a348541e2

SHA1
658f64967b2a9372c1c0bdd59c6fb2a18301d891

SHA256
1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403

SHA512
3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
494KB

MD5
ceced31aca04a69cd06404809a54bbb9

SHA1
a94e3de9ad906b5cdfc12cf885f2beb8fd9b2ce8

SHA256
5b5f51586f0b7d3afd9aa1b57ef8c3f0103f62468248468fa79180919708f944

SHA512
45a5fa636071eef5dd7649457a3089cafc6241fae6b66a68e49287e95367e9a3903aa5407724f571df30d406206d88ff70a5f2da0f1b4f01c751a869b791bcf5

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
505KB

MD5
452c3ce70edba3c6e358fad9fb47eb4c

SHA1
d24ea3b642f385a666159ef4c39714bec2b08636

SHA256
da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c

SHA512
fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE

Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

Filesize
439KB

MD5
400836f307cf7dbfb469cefd3b0391e7

SHA1
7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10

SHA256
cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a

SHA512
aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
267KB

MD5
15163eb05b0a8f65a5ca3c74a658077d

SHA1
8b116062a5754fa2d73fc4df9f635283ae1ccd02

SHA256
8751c43ee0f3f0e080103a9b77be9e79346004769ed43d4cadd630ea15d26dcf

SHA512
a8299e9a522aa58429847920b999598551c1863f63ba473178f61cde43fb91cab6ef62c9e1a51268e54338e012ccfe6428a7c37bc89007d1604fafa2560258c9

Download Submit
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe

Filesize
494KB

MD5
05bdfd8a3128ab14d96818f43ebe9c0e

SHA1
495cbbd020391e05d11c52aa23bdae7b89532eb7

SHA256
7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

SHA512
8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

Download Submit
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
525KB

MD5
f6636e7fd493f59a5511f08894bba153

SHA1
3618061817fdf1155acc0c99b7639b30e3b6936c

SHA256
61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33

SHA512
bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
536KB

MD5
3e8de969e12cd5e6292489a12a9834b6

SHA1
285b89585a09ead4affa32ecaaa842bc51d53ad5

SHA256
7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf

SHA512
b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Find Wallet v3.2-Crack.exe.log

Filesize
128B

MD5
c748e8ca8696cef7e06115966216593a

SHA1
de51083153bc4e802050a6f3f8e2d273ea36e564

SHA256
b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d

SHA512
d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Find Wallet v3.2-Crack.exe

Filesize
3.5MB

MD5
68f929dc1286bf7af65bf056845f9b42

SHA1
1f1d9848811b3c00066f8be86035fda994ceedfd

SHA256
0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82

SHA512
d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
bcdc044b2e6d5f00c1303ea86a3d0333

SHA1
69a8c612f9df182c3909e689a4abf9713050029b

SHA256
ec4aa5aab7d866403727fd2bbe2d856637ab49fa2bfdd09e6971aa639e60619d

SHA512
09805e6f64840f0cfb4bdb3b1a0f03ef7e30d50c63b24acc14c8f53695a252526b19248d6c0547aa94d60453314692ecfcd432ce7326de6c892635ba726356a1

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
320KB

MD5
bc5da83795b587fb1dfce2d6bef2d176

SHA1
ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0

SHA256
d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb

SHA512
503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5

Download Submit
C:\Users\Admin\AppData\Roaming\DFZPKZRM\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Desktop\CompressRegister.xlsx

Filesize
610KB

MD5
92e401724e8c79d516d94954c8b09988

SHA1
d5316fb9f1c46a8a16270d0dad2dc86b19747f28

SHA256
cc3db704313221202c8fa8d44c61096a927454312a1f7103b0e9c0a4e5ef3b09

SHA512
21323861408306c9b4091ac98da5264fd353d9395d931b8cce057bf3b36e00ef832b94b8a2b967b7a38b8c0f22ae0b6a9995aeb4202696177f41d5f1a568633f

Download Submit
C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Desktop\CompressSave.php

Filesize
403KB

MD5
259e5796e2dd81d3a4f17822cbd55a0e

SHA1
516f3dbc31f59788c18e9df7375ae91c1862bfb8

SHA256
50c2cf5cade63764bc84cb53d66c6f468f3d4c26767da4f6b74c591e9df00e48

SHA512
c97b10d4d1478837f8d10a3333e5a767d9db71636c1d3d97ff8c2d12b866aef6dfea39330619eb7723cd2d3fafd870d5126dab976a6b8b6b0a799cbd4bf16686

Download Submit
C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Desktop\DisableNew.docx

Filesize
693KB

MD5
b5a7856a9ea2cbd3e8f2415ac6f48b0e

SHA1
f8faa159d21066051099c7abfb123a42c504035a

SHA256
8de72e2b00d5ae3cbe39b229e7b7149bca70ba4ed1e1e9eae115ee183639891f

SHA512
861fae8292fb869f63f576f2d4b6e948818e2a04eeaa7b596d28bc954ab5e6875e9ed08301ab405c215d065dbe03e097d76d2a6a82a4ca7c9046fce39688b736

Download Submit
C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Documents\FormatLock.pdf

Filesize
267KB

MD5
a89c4036ba3a0292e553a8e92645ebb9

SHA1
5719f9016ddfe3f719df0cdc3d19df7c076b5466

SHA256
5508026a3ee10c486ede183e7de988e0514fe98019b51c240f6e045f2894c693

SHA512
3783ddf7ea6fb5a41bc9e32c943fff8a40d1504af50b676f010bd73947fc1b7085c4aa2a70332c6043fb6e74daaeb3ce143e80dda5af48404c2d835e27705096

Download Submit
C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Documents\SearchUnpublish.doc

Filesize
256KB

MD5
89a59768c990d5239bf963e8454bb4b0

SHA1
83f7d38f60820102642d84ff424e2392c99d74ac

SHA256
251b4d330f39e553e4c40f902582dcb27013f2079cbe950eea135ba0b63cf308

SHA512
ad56e59c69ae0ae56af2acc703b12a207c364e87094e3d96c2d72722e8246d8c06f5f5926f962f68b0e214e37c471790e90ad4a1300a2f3b8149331cce7d6c1d

Download Submit
C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Documents\SelectResume.pptx

Filesize
308KB

MD5
aa39f6567ce7a2ff012ba704d396d57c

SHA1
64c4bebdeb8d9086ab64c1ee34e44561fc11e666

SHA256
c941d6a3ec4ffbc6bc7993b18ad2f9d9a44b11af4e01813c5a68d97da38a40ca

SHA512
7ab5c2ffa33d944f147f6b4cd19347a14bb67371864d0f08577a6dcb234fafe274d6390f954ebfcba3d441345ec4643c5d1a2415ea42bfc48ff201b983bd1c6b

Download Submit
C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Documents\SelectStep.xls

Filesize
371KB

MD5
44994b8b308cff0d3cc0b0ab1bb09dd6

SHA1
3f728ba7e7571d52c1b30b308ff08849897ffbfb

SHA256
c9dd3e0e61405cde55ed960c97d03df2be007c5989acb5f4fc803c2a9fb8ec8d

SHA512
68c140bfa4d1b854968bf3770dd31c899cda9743c905ad050daf4289688c21adc5e15e0a963ed643ca344b3ccec58378cef038f32f9a08c9dc67fc847b49e711

Download Submit
C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Downloads\DenyMeasure.bmp

Filesize
341KB

MD5
f6251449a474aebf8e317ee5eaf00233

SHA1
771d96214831301cc82d65cb13fbfc2a268ccb3d

SHA256
8af6718a687b608a5a08f5cbcf86e4a68ad5c0e334d57b0f914714b86d4f9477

SHA512
86db90c4c7f792486b25d20559e733e215be71fa8e44abec5770e53dedafd5cfef90e3cfcffce98c7cd1956db33643ac7d729d0919af7b25a6e31fd2e2346b28

Download Submit
C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Downloads\OpenPublish.ppt

Filesize
385KB

MD5
763e38209017ec3827ef6f5f9b70a611

SHA1
ecfe9a23dc69bfe1669ca212b1270d7bc4ac010b

SHA256
188557553daafa63db02db03eebb974dfb140a5075ebf7ad75012b45f6ab59ba

SHA512
68d6a08f79b4b516bb629f1bc40914251b3c2e06f0951ac59701afe3c6dd0ee868b1e4fbbe4f2ce37f55e3cb4476d8c17d18fab8b4a11302a514d9fbf3d2cc6e

Download Submit
C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Downloads\UnlockLock.rtf

Filesize
198KB

MD5
c2f3662acb63af17e38028c5b0b34fed

SHA1
baab09893808694a87c190a6c04021141c0f57a4

SHA256
e772aaea75d79617cb1802595a3c88136877ab4fc31a447e5a0c19c664ac70d2

SHA512
a060e57df027437e5e0b1e4b4027f8dfaafa0f7f70319fe71debc41c5e5ce65ad6a2b286c58a1a5138a8315ff2f37377f0bb932c33c328b2043c8bea6ddbf5cf

Download Submit
C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Downloads\WriteOpen.svg

Filesize
352KB

MD5
27ae2a26d4d27c479b2e34f2b3e80c87

SHA1
59beedecacb0e9b71a9d8ebcb804aed9add5b309

SHA256
4a78248ecb1f92a5d916b02275679c0e44f9c3488943c25267005b21c60cde7f

SHA512
b9d1682166dbe90d4877e6d6e5d358b7029f0bc52428162ccb6d82c8ca75adc23ac874eaf0823bd9b6587b901ce9360ec03eb48cc54a922a2f49d85defb190cd

Download Submit
C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Pictures\DisconnectCompare.jpg

Filesize
436KB

MD5
6c999a4fd333fdbb765836de79273751

SHA1
1493104514ee07ebf2e726e19ddb1fa0f49b72b6

SHA256
ad1cd65c0b72a6dc2129fa16aa90d6f94256f3e0b2494a63311bfadc95b3c7eb

SHA512
74015d4a3c52c982275ca3a321854d1409dfc3cd85889fcf57a6f8373b6962f3c8e6569ecd0009b82d182c5007c94b4c45dd806081b2ec0540c342ad36aae6eb

Download Submit
C:\Users\Admin\AppData\Roaming\DFZPKZRM\FileGrabber\Pictures\JoinPublish.jpeg

Filesize
954KB

MD5
1728d34eaf5339b7262f9cf8a45ebb82

SHA1
97eccb6438766f0d381c56590fe5f38fb9c77feb

SHA256
9b3a18855fd5befa5a264df63a569941bd947e6e50dc709c55a7e6d49248fd2b

SHA512
d5396f3eaa627620a54706564644011cf777f1ad9da998825d122af8c905d466ebcecc0fb0983cf9f6d9506d36cb4395323d38fd754aaeae8a6f5f928d235ffe

Download Submit
C:\Users\Admin\AppData\Roaming\FINDWA~1.EXE

Filesize
3.0MB

MD5
c309cb9865dfc6dbb7f977f4c0f722c0

SHA1
b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9

SHA256
51472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5

SHA512
a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797

Download Submit
C:\Windows\directx.sys

Filesize
88B

MD5
d2ab55f007720f9ae97eb413f4f39c00

SHA1
509cc652c8156f88cd77e1ccf1fce57369ac97d6

SHA256
c5d4d3e03601278da446c5a4f523668942e9e186fd85e9bfbdd3d2c1afbb1eeb

SHA512
2b373caa9f261abb649116176f56c916ba912c3a15293eea7dbb6442e59cbe5adc412c934b890baf0070d93ffab1d1657c786c117aa1396647e3cd6d97c3b7df

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
288793866a6c261d3f1c5732fe45e9fb

SHA1
bf48902112f0cbb17b00f3ba8234021a1b627aed

SHA256
1f1d36dd6de17efbed65e2d52627c073cf3e07d3df3827de75309a153433dffa

SHA512
4880625d7934f8b3f10b3998f856e33c9eb69e62fe8d1ecd82466ab1b380eb70e2c7810e3916382b53747fca8f195e8ecc001c11c4020a88126c5dfb079bfd8a

Download Submit
memory/2100-355-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2100-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2100-314-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2100-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2100-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-394-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-358-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-345-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-356-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2748-9-0x0000000072C90000-0x0000000073240000-memory.dmp

Filesize
5.7MB

Download
memory/2748-30-0x0000000072C90000-0x0000000073240000-memory.dmp

Filesize
5.7MB

Download
memory/2748-7-0x0000000072C90000-0x0000000073240000-memory.dmp

Filesize
5.7MB

Download
memory/2748-6-0x0000000072C91000-0x0000000072C92000-memory.dmp

Filesize
4KB

Download
memory/4504-135-0x0000000006A30000-0x0000000006F2E000-memory.dmp

Filesize
5.0MB

Download
memory/4504-132-0x0000000006490000-0x0000000006522000-memory.dmp

Filesize
584KB

Download
memory/4504-32-0x00000000009E0000-0x0000000000A36000-memory.dmp

Filesize
344KB

Download
memory/4504-143-0x0000000006940000-0x00000000069A6000-memory.dmp

Filesize
408KB

Download
memory/4672-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4776-138-0x00000000081F0000-0x0000000008228000-memory.dmp

Filesize
224KB

Download
memory/4776-33-0x00000000001C0000-0x00000000004D0000-memory.dmp

Filesize
3.1MB

Download
memory/4776-396-0x0000000000CD0000-0x0000000000CF2000-memory.dmp

Filesize
136KB

Download
memory/4776-397-0x0000000017450000-0x000000001797C000-memory.dmp

Filesize
5.2MB

Download