stormkitty | 71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe
Size

1.1MB
MD5

e10d4a9fb3f6cb40b721a883f5b21333
SHA1

2593e6d56fe6c76216c026eaf44aa1fdb61137ff
SHA256

71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c
SHA512

321137c35b903991c1653af0bf704dbe9c7ded42b941260a7a3222b0407d5dd91c593fca18ab599347fbcd985a29aafef45d97990c170c1f1dca4f04d59c22d0
SSDEEP

24576:5nsJ39LyjbJkQFMhmC+6GD9c0P8j/svqA:5nsHyjtk2MYC5GDzP8j/Mq

Score

10^/10

stormkitty xred backdoor collection discovery persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 7 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023c59-7.dat	family_stormkitty
behavioral2/files/0x0007000000023c68-21.dat	family_stormkitty
behavioral2/memory/4000-143-0x0000000000070000-0x00000000000C6000-memory.dmp	family_stormkitty
behavioral2/memory/3996-144-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty
behavioral2/memory/2936-491-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty
behavioral2/memory/2936-632-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty
behavioral2/memory/2936-682-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	LocalwCsRGYdPHX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 4 IoCs

pid	Process
3996	LocalwCsRGYdPHX.exe
4000	._cache_LocalwCsRGYdPHX.exe
2936	Synaptics.exe
2044	._cache_Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_LocalwCsRGYdPHX.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	LocalwCsRGYdPHX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\ProgramData\OFGADUSE\FileGrabber\Documents\desktop.ini	._cache_Synaptics.exe
File created	C:\ProgramData\OFGADUSE\FileGrabber\Downloads\desktop.ini	._cache_Synaptics.exe
File created	C:\ProgramData\OFGADUSE\FileGrabber\Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\ProgramData\OFGADUSE\FileGrabber\Desktop\desktop.ini	._cache_LocalwCsRGYdPHX.exe
File created	C:\ProgramData\OFGADUSE\FileGrabber\Documents\desktop.ini	._cache_LocalwCsRGYdPHX.exe
File created	C:\ProgramData\OFGADUSE\FileGrabber\Downloads\desktop.ini	._cache_LocalwCsRGYdPHX.exe
File created	C:\ProgramData\OFGADUSE\FileGrabber\Pictures\desktop.ini	._cache_LocalwCsRGYdPHX.exe
File created	C:\ProgramData\OFGADUSE\FileGrabber\Desktop\desktop.ini	._cache_Synaptics.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
56	api.ipify.org
57	ip-api.com
13	freegeoip.app
14	freegeoip.app
19	freegeoip.app
55	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1680	4000	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LocalwCsRGYdPHX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4296	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
4000	._cache_LocalwCsRGYdPHX.exe
4000	._cache_LocalwCsRGYdPHX.exe
4000	._cache_LocalwCsRGYdPHX.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
4000	._cache_LocalwCsRGYdPHX.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
2044	._cache_Synaptics.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4000	._cache_LocalwCsRGYdPHX.exe
Token: SeDebugPrivilege	2044	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4588	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 3996	1848	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	83
PID 1848 wrote to memory of 3996	1848	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	83
PID 1848 wrote to memory of 3996	1848	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	83
PID 1848 wrote to memory of 4588	1848	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	84
PID 1848 wrote to memory of 4588	1848	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	84
PID 1848 wrote to memory of 4588	1848	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	84
PID 3996 wrote to memory of 4000	3996	LocalwCsRGYdPHX.exe	85
PID 3996 wrote to memory of 4000	3996	LocalwCsRGYdPHX.exe	85
PID 3996 wrote to memory of 4000	3996	LocalwCsRGYdPHX.exe	85
PID 3996 wrote to memory of 2936	3996	LocalwCsRGYdPHX.exe	86
PID 3996 wrote to memory of 2936	3996	LocalwCsRGYdPHX.exe	86
PID 3996 wrote to memory of 2936	3996	LocalwCsRGYdPHX.exe	86
PID 2936 wrote to memory of 2044	2936	Synaptics.exe	87
PID 2936 wrote to memory of 2044	2936	Synaptics.exe	87
PID 2936 wrote to memory of 2044	2936	Synaptics.exe	87
PID 4588 wrote to memory of 2284	4588	AcroRd32.exe	95
PID 4588 wrote to memory of 2284	4588	AcroRd32.exe	95
PID 4588 wrote to memory of 2284	4588	AcroRd32.exe	95
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4156	2284	RdrCEF.exe	97
PID 2284 wrote to memory of 4760	2284	RdrCEF.exe	98
PID 2284 wrote to memory of 4760	2284	RdrCEF.exe	98
PID 2284 wrote to memory of 4760	2284	RdrCEF.exe	98

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe
"C:\Users\Admin\AppData\Local\Temp\71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\LocalwCsRGYdPHX.exe
  "C:\Users\Admin\AppData\LocalwCsRGYdPHX.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Users\Admin\AppData\Local\Temp\._cache_LocalwCsRGYdPHX.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_LocalwCsRGYdPHX.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 1408
      4⤵
      Program crash
      PID:1680
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2044
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\LocalfoWhpQgnAt.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=25490B6A5108B85E29AE317553840714 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=25490B6A5108B85E29AE317553840714 --renderer-client-id=2 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:4156
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=31C2A71D26F6D507990CF2731D18604E --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4760
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C83D174F0CC07DCA1805C8E172BD16C3 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1204
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6C4A89D7C9249B3CC3F3BF542058AD27 --mojo-platform-channel-handle=2020 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2500
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D099B905771BB79C708ED4D5DCAE2BA7 --mojo-platform-channel-handle=2520 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3840

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4000 -ip 4000
1⤵
PID:1772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OFGADUSE\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\OFGADUSE\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\ProgramData\OFGADUSE\Browsers\Outlook\Outlook.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Desktop\ConvertFromCopy.xlsx

Filesize
15KB

MD5
a3cf11e8c1dd910c2f9ddc3f5fdd9e58

SHA1
69bf73835c07968d0f6cd557e237c3bb61f3485c

SHA256
23e5f05eba9aedd0fd096899805d7c9c76c620a8e02795cd863e4112182a9129

SHA512
95aa77824fb1b9b0718728d97a3ac711706a31884c23ae21f628126f39e51238cffaf339acd656c4f32b43fdadff2e19ea87179b297013ba0996a020b3bced81

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Desktop\DebugWatch.jpeg

Filesize
304KB

MD5
dd273b4598056b8eabe3559c665ad5a7

SHA1
4fa2c367de751dcc65aed49f8845aa847a796fa1

SHA256
6ea101f6d52aeb3ed25f0b24d73b73d47ba1878a1330ecdfb594fe8270427fc6

SHA512
c926c5e81ab68f8929fa4eb1adfc6eed6577abbe6653ef997e9767e4a5102fc3ca6e1b6f7902d9736e0f6671f5bb90b60145d286ce8054b33cb53d1ae2488eda

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Desktop\LimitRegister.sql

Filesize
286KB

MD5
02bc823c8b9bd182b07762236f0633ef

SHA1
e14335fa9007f5aa6bebb507a4daca6c50bdd875

SHA256
a2f12771523d84165d4785d1e1dff224ade1aff8a8d12dd40b8fc883793386ef

SHA512
772129a18ed9ca60e7e9adc6e7406f826b471529d5aa79fdcc2dd4ee699c85695f7ac29bd2ee15d92d356f2e3b424c8adb72dd2ad4814283607e45fa9fdd8d2f

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Desktop\UninstallRemove.docx

Filesize
16KB

MD5
af62aecc94e094bcea5dc59ce1a2ae6c

SHA1
a531482052d05c8cff8c85cf474f9deef5907418

SHA256
a4c1d13bf49d3229583c689dac82d9ac17e36b9107f54df4a46803196c8fd607

SHA512
f615afe96050c1b14269026337155f4a621141399df82ba301a93803a3f1d52905a077f388efdd19ab7993d61701754791dcaa54b3e9fe4801c4ab9875afb7e3

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Desktop\UnregisterGroup.jpg

Filesize
268KB

MD5
b517c8f23c88cf6b9f87bc49577c3235

SHA1
0dd35906b05aa4a2740471f74d365d2111b42dd5

SHA256
5a3248626544a97b4fd45c05762cfb0eb5f1d3d1bdf20267adbcc8ecaa32a817

SHA512
08dd308ce343e00f6b26c144d746c6e679c33a0b98f3d39aac6568b3e33d1c3ff3e28d4d01938f7b129a8f3e518dcb8bb6861d4cde612e5007be2e897c2f45e7

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Documents\AssertHide.docx

Filesize
15KB

MD5
e49c7777871adcc0ab669ca957d3c5e1

SHA1
54d4e316477e1fe13f398da9bab706994d01bda5

SHA256
edd6486852586042e4398de1c8ffb5d70a13a24f45b3ea0bb72b3a6de494d63a

SHA512
9310f3cdb70984dc4ba6c24cd68279283853475cdc8d872d28963462b855635d15326157a758c27cd36a54ae33f7f14df7c4ef835a9ca3a7b9fc36cccca1ada9

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Documents\DebugUnregister.xlsx

Filesize
10KB

MD5
715bcde27aa49634051e596cf23b8377

SHA1
5b14c3884c3095013aa6daa03a14bbc5c4c3cb39

SHA256
01c8bb63c69023a569be2c4554340c561f18b8918f7e21e37dbdcf91100837c0

SHA512
8d770ea320c7f4162b52e9975500f337683c56a68eee28344ff5fffbc4e9217cc606ad4f208113419ddbb932e3620768610153a5ea16f5e7a07d10ca6ecdafd6

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Documents\FindEdit.xlsx

Filesize
11KB

MD5
1f6447cce738d800e506bbc7948ea76c

SHA1
0d9d0e7c588dc0d20198cd7319d3bcb2a176520a

SHA256
ca87222311358d134e0ac793ddbf3984fd1d9b88c312f760ccd8151b7901f815

SHA512
f9568f3a4b5a1ef01b3c25410308863356079b78afa5afdf16610f879b6bfe3fd63fab9411e474c2048b6abd5ce94118e54db0c35670d096c8b3f5df61711a29

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Documents\UpdateConvertFrom.docx

Filesize
15KB

MD5
c77f598ad101219504822e78d0555a45

SHA1
ffd8c92aadd24451fdece07f430d32dcd22cb71f

SHA256
4eb43cfeec34b2bdc47a38eca49947a0651ca6be7ebae6173e726d973bbc73d8

SHA512
f3ff003a7f0c66d1373677fed3cf703c7b6247acc3ab44b673dff2c289e4dc5281c1d938664a88d42b7053085552ee9d961dab83fe00fa05661a72fbf173e18b

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Downloads\JoinUpdate.jpeg

Filesize
305KB

MD5
a76a187d369fcccbf940a2aa2c3dfc41

SHA1
34b39346b7680a4a5ac86725217779b18cf4a5ee

SHA256
5489ae110dc4f508ce109d15398c4ad58dc53bd6f46b88aba607bddf9e66654b

SHA512
8b136446cb36bea5e71f6e76c75f9d195b405d2a5701848d1b4c463642a32b823d56e044731268ac45cf34f377760843c09f3efb8952aa2fa5e747b2b8708c42

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Downloads\ResolveMove.jpg

Filesize
246KB

MD5
3c5b0de8d531e57138676cc5f2915198

SHA1
d9197bcd1542fa3ef139ea51f88cf960e2dd532f

SHA256
883230df3e7a9af86d7094bd7a5ec49f8169b0033b3b24b4c312f43af56f6a60

SHA512
69ba305c9f2238cf068f6876ca93153117672959a459930de5795eda9c7892289523b6eacd3cde2f81a5849d6aa3a68f335923db894062b752a8f8fdc7ac626c

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Downloads\RestartImport.bmp

Filesize
634KB

MD5
da03d367ffa88e26469380125164e594

SHA1
50f90ec6f4a1dc545448d91739b7c4166c8b32ed

SHA256
29c0cc78133c6e00fe5512f35ebdc7e2a0be5f653988e596d6e34386c68c4e4e

SHA512
fbc9a30350f69453a0faaa66c4bee097745f521e7fc8af6ae14c80b97d72da0434c4c6ead73c93478e292c5ba239e6076e606eba36947286f0d456d6ac044a1c

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Pictures\ConvertToDismount.svg

Filesize
679KB

MD5
59b014394d53ff749a2643020fc93bb0

SHA1
b373bc753f2b298124b8ffcbb151a8cc099f0396

SHA256
4200691bd09cd2806485f2aa578f73bcd58126981b5b6fec72bcb15dd44319a7

SHA512
712c33505dd79c8ae1305ff2473c1c3fe4e0b484a37a5923407d81fc82eb69dc9cdb166cf52eb9148be503c406d42774cf6b7ac47dc2b5e3bf54be6cfd672c27

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Pictures\FindClear.jpg

Filesize
470KB

MD5
7b0967a6017802ae6e96c4d2d1420df6

SHA1
cd8730d76afdedf664fbb2c4cc67da27b2a4b5b4

SHA256
066be2aeed77012d079c2fcd90259499aa6abe22d73a442975c0f99ed1f6abe6

SHA512
e9c00838c0fe23cd2ec239e08be0875fd0f9899ac64e39f66083227e4d009e4e0b7abd974d723cb3529f624378b7099e98c595db029d8beeaad259aeeedb2310

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Pictures\HideDisconnect.bmp

Filesize
853KB

MD5
acf0c0148bd0d0d00a05329b651cc910

SHA1
bcedf5c60adf36146ff9b66a2038ac188347ccbc

SHA256
bb8f27f61dd90679c10ce4c80e1ebaf901c822266c6d05f23852a323870aa9e9

SHA512
187269c5357b42a2fd85b110ababd887184b8ea610fabe05dc94aab0ebe6e4a807994f3b9c46d30c76942390c006364c75a7e84aa497750e5fe358bca611b451

Download Submit
C:\ProgramData\OFGADUSE\FileGrabber\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\ProgramData\OFGADUSE\InstalledSoftware.txt

Filesize
1KB

MD5
bca4ee4b0d73edf2835ac08ab38d1bd9

SHA1
a833d7663f5edecc050b37b7efd1d563268ea0df

SHA256
0face1d1c4bdf8e8f16c7fe99e2a6150cd6f60dc20396214288a585f870f3e5f

SHA512
48fa5f3b545f470146fee34c87b7268eb09ca7944d8bfea9e9fa2a14f4f934ec3b91ae4d302f7248b797bd5e0562b8a567f5ca3bce241ea8c3493bbe3310bce2

Download Submit
C:\ProgramData\OFGADUSE\Process.txt

Filesize
196B

MD5
d6f446d2b11b98fd577a28a826e0cef7

SHA1
03abc02bc3aa124f175c373110e6bad11ce2c085

SHA256
a5fc6707e5fff0ee77eb1211d350dc7c8ef69159a9b6008da95125c8d5f870c7

SHA512
dba27d031f423346ea20d52e396afab19c4cdf43741bec0d2c53486aa4d79e5702065eed107062a9815e825dd658f70b852822d836e9cc88480da5dd5ab29b95

Download Submit
C:\ProgramData\OFGADUSE\Process.txt

Filesize
300B

MD5
c102bfc672847762a166e20a5fb79748

SHA1
66973dcc14925996e3b6dabb91f0bf2a968051c2

SHA256
7e0cf37a8f1599587882c9738c6dca4062d70938d99eba5cc530196362143100

SHA512
e060d6362cff3fb559b78e40a3535fb7b39cbca34a0975f87a431e8e1af3546301cdd0d1f1b7ea900db401f9570a42b2c212069c01a11db713c83579d4125473

Download Submit
C:\ProgramData\OFGADUSE\Process.txt

Filesize
352B

MD5
bab80897e8711190add8f052cc1b6fa0

SHA1
6e3c11e9682685c8bbd0f7edc01c7ca790c5fdef

SHA256
7c9ba630b60392bcad0c80b50903fd9cee49caaf3343693d868603c99d7106b3

SHA512
21b2030f5355aa919bd194894c97cbf4f71f37aedfb0270caf4d10dcbc39e6059e6c7e7db46945a6bc79461341b8875156b30bf05cce9db117ab1eba2d0dddb5

Download Submit
C:\ProgramData\OFGADUSE\Process.txt

Filesize
404B

MD5
5aff10a67926c6704f38742fd7c8b332

SHA1
f737cf472edc852d5eac5739be4407c1b4839c45

SHA256
54061f21aa17719fa7ae0ad15fe2633c773a3792f43eb8cd80c741a61fb0b22d

SHA512
1999bcc76e98cfa0a49e3c13c98adbc0cc981219e80d8c3ad4b19e871abd022b9c7547e105fd54c7c176256fd5b44c70a4227153fdacb13873481663dc01c593

Download Submit
C:\ProgramData\OFGADUSE\Process.txt

Filesize
456B

MD5
3ff44e50d0b79a11ba40d95562a312f8

SHA1
acdb5554277e226c1329e6001e89f35ceac45276

SHA256
896304f7839a0f53fe1357c209584906d94cc8a3fa9a45e09d1c7c3c2d596343

SHA512
9bc5df36634387c94c5a375af70ef880c2dcc839ef04a4d1dd0ffc6b4ff0a717ecebdeb0675190b56c865eafb18c28837131190a6d8492ca01812d880e44264e

Download Submit
C:\ProgramData\OFGADUSE\Process.txt

Filesize
508B

MD5
9d4e80107f212c097c4cb2d61a994456

SHA1
870a5a9438e3b426b5019db869c23940e96a5ace

SHA256
e81d1ed59faf3a0fce38f8800ad6777fff343821a7bdc51380d5de21b45eee07

SHA512
7fca2b7e6aeba6398d323df0c98c2a60512b793d3da22d19089d4dd2f2a749a02441846ad002d7d557f8622c7b3c3e6f32308606aded8ab5c18ca52bd7ecb910

Download Submit
C:\ProgramData\OFGADUSE\Process.txt

Filesize
664B

MD5
b3c5e406dafe2b552fffbac711951c1c

SHA1
78d5e0b07941f0821759199978d912556af97db0

SHA256
b196b2460cb4b07755601ce0eec9da30a1f7133ba08c0e88b30ecc81516d8058

SHA512
2cabb6df5bb9e6022a86692028d307d3d85f486a5a5e39de787cbb88ef8ac06768c8f58e3293219b2ccbb4a8a4ec6c9779c64c54595bc872a856337509b7f2b3

Download Submit
C:\ProgramData\OFGADUSE\Process.txt

Filesize
612B

MD5
b4b935a32aa825a0ff930fc7254acd95

SHA1
56642310a9b5b2229951b30c6a128be80daf6d9a

SHA256
51bc5948bedadc70d7058198f369f97fe150a903fb71ede6878fcfbb7419c720

SHA512
5c4363bfd6499d47b78412dbdf76b9a5a9ded1dc037bef5db0cf6a69f4ebe4b688558737d2737b3afd709474e7eec60186d47e51a341b43b07cc2c0e69716a11

Download Submit
C:\ProgramData\OFGADUSE\Process.txt

Filesize
777B

MD5
5e337d23efcc58f7ffd3a4b0b4c860c3

SHA1
413ccf3639bd1b3f1e15ca38d7d222a0f40406f3

SHA256
43c529ac8bca617f110442c61d55e31e19a76f2ddb1f826b14b474f6b8d64bff

SHA512
0814c96f01dfd52f0c1aa8f8db3a89acc28d34f3d656e29e0a17d72c1bcd9a5c57526e60b092a607d84283990fcd8e54e9e96f47f339a6d8fbeb13451de7f3ca

Download Submit
C:\ProgramData\OFGADUSE\Process.txt

Filesize
4KB

MD5
f34f49b3882e6ccd1aea5be1578c9c57

SHA1
ab0fb9f7b9950464d25be70cb76559912ff82b53

SHA256
d52ecb8b3a450e7b731a1de95020e16b5032ac4d127cba2aa6ff657184aadd72

SHA512
0890591b4e2af8d081aa3344317c762a232a7005475ad0e340e6d862dd6f800a087df455766ff15c9284a8e0a67501ff3c63c316ec3e3fd4a85169f61895a7b2

Download Submit
C:\ProgramData\OFGADUSE\Screen.png

Filesize
55KB

MD5
3422222322af498541acef7d97182c59

SHA1
ac3f442f872e9a2310c7f78897ba73c9373caf6d

SHA256
0170668fc5e127be596fc639dd6d3c4031ca2f2b0c89590556e8332f87188cf9

SHA512
84fbb13e6351e7321fe686ae27968547ad4983a3f9d8adc39713e24e374a61cc7f4c1d7a88d0ca6e81a42fba74b61707cd81aa82988f5066266c65fd42dfd00c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
107b26771211b74cdd5673a1861515d8

SHA1
336e1ce18c30f4a6b70e44fa21da83c26e1d76ab

SHA256
2e06b66da93a61c5800693d2fa14eecb76cf9149c53b9f8911a16d9b60a5861f

SHA512
cd58dc9218272aa80d0ff2d09d4cb409e72fd891c77dadcfc248a78d9457188722e1194566b6f764b2a5c81c3c0fa730ab4aeadabd0473edbdc3e64bf8b21387

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_LocalwCsRGYdPHX.exe

Filesize
320KB

MD5
f71e90cbe5a122796864f70feba51a50

SHA1
b63521622fbd176baddf513e2eb191f655880bca

SHA256
8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a

SHA512
001e5b02b5f28b2e9d8cff0baedbd5c21aa6da19f41629037438d39dcfdb6b1322c50571cb7a8fade72ed284d411919a6db319120c1d127df8488de95f7fd12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCA75E00

Filesize
21KB

MD5
d9e94be82258c25a44aba59d465c8515

SHA1
21614ea059aa54412c121a2ecb07e4a5aa1a2613

SHA256
9dc4dba0a334eb464e26cb116ffca2dd4b5cbe02734e018a67c804bf311d1fa4

SHA512
4a05057640809c1fb6eafe99c7802906d444d997843d15de421e913b5e6466106e15b84e687835ae729bb5880cff6a75ec046600e9702f9e7fb8d51d7bb089ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkCWoLCw.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
af10cd517bc9fee2d23c34dc946877ce

SHA1
cfc387fd74ea46ea5dd6c8d7311ea7d3f424dfe4

SHA256
3f1ccfee3ae1bf215047f4d13b8f79652b42e9ec70680939d710620879eb7e39

SHA512
e1328f465577374ae2ce7c86da95f1e32ea91f8d43cff2ced05cac4d70cc71c1637c369555f945e695ad6182a476e5cfa000b12c2a6ce77518c0126adab0ff4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA79F.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA8F8.tmp.dat

Filesize
114KB

MD5
2dc3133caeb5792be5e5c6c2fa812e34

SHA1
0ed75d85c6a2848396d5dd30e89987f0a8b5cedb

SHA256
4b3998fd2844bc1674b691c74d67e56062e62bf4738de9fe7fb26b8d3def9cd7

SHA512
2ca157c2f01127115d0358607c167c2f073b83d185bdd44ac221b3792c531d784515a76344585ec1557de81430a7d2e69b286155986e46b1e720dfac96098612

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC73.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\LocalwCsRGYdPHX.exe

Filesize
1.0MB

MD5
c78e19b1b79ef2cbed3428f6d055a217

SHA1
34e1cca94e8a5dfee7825951e8d7d103fe24a94a

SHA256
f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31

SHA512
e0828b3c2e2e060ef79855de7bb3bf297ba1590b6f08784ad85cd19c090e84d5a50893a1d89a70aea13d48f7896b62d048447e7eb40a23ae8309f5207642470a

Download Submit
memory/1848-16-0x00007FFA81A60000-0x00007FFA82401000-memory.dmp

Filesize
9.6MB

Download
memory/1848-0-0x00007FFA81D15000-0x00007FFA81D16000-memory.dmp

Filesize
4KB

Download
memory/1848-1-0x00007FFA81A60000-0x00007FFA82401000-memory.dmp

Filesize
9.6MB

Download
memory/1848-3-0x00007FFA81A60000-0x00007FFA82401000-memory.dmp

Filesize
9.6MB

Download
memory/2936-682-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2936-632-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2936-491-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/3996-144-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/3996-14-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/4000-252-0x0000000005DE0000-0x0000000005E72000-memory.dmp

Filesize
584KB

Download
memory/4000-143-0x0000000000070000-0x00000000000C6000-memory.dmp

Filesize
344KB

Download
memory/4000-254-0x0000000006430000-0x00000000069D4000-memory.dmp

Filesize
5.6MB

Download
memory/4000-263-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/4296-245-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

Filesize
64KB

Download
memory/4296-246-0x00007FFA5D5A0000-0x00007FFA5D5B0000-memory.dmp

Filesize
64KB

Download
memory/4296-241-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

Filesize
64KB

Download
memory/4296-253-0x00007FFA5D5A0000-0x00007FFA5D5B0000-memory.dmp

Filesize
64KB

Download
memory/4296-243-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

Filesize
64KB

Download
memory/4296-244-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

Filesize
64KB

Download
memory/4296-242-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

Filesize
64KB

Download