stormkitty | 71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe
Size

1.1MB
MD5

e10d4a9fb3f6cb40b721a883f5b21333
SHA1

2593e6d56fe6c76216c026eaf44aa1fdb61137ff
SHA256

71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c
SHA512

321137c35b903991c1653af0bf704dbe9c7ded42b941260a7a3222b0407d5dd91c593fca18ab599347fbcd985a29aafef45d97990c170c1f1dca4f04d59c22d0
SSDEEP

24576:5nsJ39LyjbJkQFMhmC+6GD9c0P8j/svqA:5nsHyjtk2MYC5GDzP8j/Mq

Score

10^/10

stormkitty xred backdoor collection discovery persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023bb1-7.dat	family_stormkitty
behavioral2/files/0x0007000000023c95-21.dat	family_stormkitty
behavioral2/memory/3528-144-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty
behavioral2/memory/1360-145-0x0000000000270000-0x00000000002C6000-memory.dmp	family_stormkitty
behavioral2/memory/1704-642-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty
behavioral2/memory/1704-804-0x0000000000400000-0x0000000000510000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	LocalwCsRGYdPHX.exe

Executes dropped EXE 4 IoCs

pid	Process
3528	LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1704	Synaptics.exe
1732	._cache_Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_LocalwCsRGYdPHX.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	LocalwCsRGYdPHX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\GUMLNLFE\FileGrabber\Desktop\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\GUMLNLFE\FileGrabber\Documents\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\GUMLNLFE\FileGrabber\Downloads\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\GUMLNLFE\FileGrabber\Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\GUMLNLFE\FileGrabber\Desktop\desktop.ini	._cache_LocalwCsRGYdPHX.exe
File created	C:\Users\Admin\AppData\Local\GUMLNLFE\FileGrabber\Documents\desktop.ini	._cache_LocalwCsRGYdPHX.exe
File created	C:\Users\Admin\AppData\Local\GUMLNLFE\FileGrabber\Pictures\desktop.ini	._cache_LocalwCsRGYdPHX.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	freegeoip.app
9	freegeoip.app
12	freegeoip.app
61	api.ipify.org
62	api.ipify.org
63	api.ipify.org
64	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_LocalwCsRGYdPHX.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_LocalwCsRGYdPHX.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LocalwCsRGYdPHX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
512	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1360	._cache_LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1732	._cache_Synaptics.exe
1732	._cache_Synaptics.exe
1732	._cache_Synaptics.exe
1360	._cache_LocalwCsRGYdPHX.exe
1732	._cache_Synaptics.exe
1732	._cache_Synaptics.exe
1732	._cache_Synaptics.exe
1360	._cache_LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1732	._cache_Synaptics.exe
1732	._cache_Synaptics.exe
1360	._cache_LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1732	._cache_Synaptics.exe
1732	._cache_Synaptics.exe
1732	._cache_Synaptics.exe
1732	._cache_Synaptics.exe
1360	._cache_LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1732	._cache_Synaptics.exe
1732	._cache_Synaptics.exe
1360	._cache_LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1732	._cache_Synaptics.exe
1732	._cache_Synaptics.exe
1360	._cache_LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1732	._cache_Synaptics.exe
1732	._cache_Synaptics.exe
1360	._cache_LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1732	._cache_Synaptics.exe
1732	._cache_Synaptics.exe
1360	._cache_LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1732	._cache_Synaptics.exe
1732	._cache_Synaptics.exe
1360	._cache_LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1360	._cache_LocalwCsRGYdPHX.exe
1732	._cache_Synaptics.exe
1732	._cache_Synaptics.exe
1360	._cache_LocalwCsRGYdPHX.exe
1732	._cache_Synaptics.exe
1360	._cache_LocalwCsRGYdPHX.exe
1732	._cache_Synaptics.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	._cache_LocalwCsRGYdPHX.exe
Token: SeDebugPrivilege	1732	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
3636	AcroRd32.exe
512	EXCEL.EXE
512	EXCEL.EXE
512	EXCEL.EXE
512	EXCEL.EXE
512	EXCEL.EXE
512	EXCEL.EXE
512	EXCEL.EXE
512	EXCEL.EXE
3636	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 3528	1100	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	83
PID 1100 wrote to memory of 3528	1100	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	83
PID 1100 wrote to memory of 3528	1100	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	83
PID 1100 wrote to memory of 3636	1100	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	84
PID 1100 wrote to memory of 3636	1100	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	84
PID 1100 wrote to memory of 3636	1100	71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe	84
PID 3528 wrote to memory of 1360	3528	LocalwCsRGYdPHX.exe	85
PID 3528 wrote to memory of 1360	3528	LocalwCsRGYdPHX.exe	85
PID 3528 wrote to memory of 1360	3528	LocalwCsRGYdPHX.exe	85
PID 3528 wrote to memory of 1704	3528	LocalwCsRGYdPHX.exe	86
PID 3528 wrote to memory of 1704	3528	LocalwCsRGYdPHX.exe	86
PID 3528 wrote to memory of 1704	3528	LocalwCsRGYdPHX.exe	86
PID 1704 wrote to memory of 1732	1704	Synaptics.exe	87
PID 1704 wrote to memory of 1732	1704	Synaptics.exe	87
PID 1704 wrote to memory of 1732	1704	Synaptics.exe	87
PID 3636 wrote to memory of 4660	3636	AcroRd32.exe	93
PID 3636 wrote to memory of 4660	3636	AcroRd32.exe	93
PID 3636 wrote to memory of 4660	3636	AcroRd32.exe	93
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4100	4660	RdrCEF.exe	94
PID 4660 wrote to memory of 4020	4660	RdrCEF.exe	95
PID 4660 wrote to memory of 4020	4660	RdrCEF.exe	95
PID 4660 wrote to memory of 4020	4660	RdrCEF.exe	95
PID 4660 wrote to memory of 4020	4660	RdrCEF.exe	95
PID 4660 wrote to memory of 4020	4660	RdrCEF.exe	95

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe
"C:\Users\Admin\AppData\Local\Temp\71c2d4c56eb76e1442548504cfc35af357ddaf95968e6a2f9ac60d804a40163c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\LocalwCsRGYdPHX.exe
  "C:\Users\Admin\AppData\LocalwCsRGYdPHX.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\._cache_LocalwCsRGYdPHX.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_LocalwCsRGYdPHX.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1732
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\LocalfoWhpQgnAt.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8F005683C9721DDE2566718FB892DBDA --mojo-platform-channel-handle=1704 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4100
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6DC9808985C20CC94E801AF416464D4B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6DC9808985C20CC94E801AF416464D4B --renderer-client-id=2 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:4020
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4DFDF9986F241399DFF087FA346E5E3F --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4556
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E76A32F5B93DA97201A5A27E4C92A67D --mojo-platform-channel-handle=1828 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5108
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B3F4AC6DF9365A25DD5397C00F961964 --mojo-platform-channel-handle=2544 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4124

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
52328641420f2531346de3692aab338f

SHA1
d1a7496166e8081f75966e0ca7b56ca94f7d1185

SHA256
1acd174b52f9f3864bc3d58aec7fd8f35827cbdc48c8ee6d74e110255a888721

SHA512
50dff936df2c44079a8d0b18a44e78985b1e4170a13c1bd87668fdc3161b26ff8919a8142dba7922d8d0fba97543a8275b5d9e6dc086bdb9211f51414f262136

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Browsers\Outlook\Outlook.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\FileGrabber\Pictures\UseSuspend.bmp

Filesize
222KB

MD5
167570809e2f9c6d934a6fec951d5770

SHA1
32c7fbb80ff72e0218a75418d1c89a743edaa61c

SHA256
cb89a07abb0c0b545c1e11dadc812e9c9b5a71f775fe9ce49d1fbed904484f67

SHA512
f77ba27bb77705174893649b381a2b7221ade68b743029d51c50e0a3cf0960dbe50aa3b5be67355eb967c4de6d44344c65ecc022b81e7e8638bad1a56ba40092

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\InstalledSoftware.txt

Filesize
1KB

MD5
bca4ee4b0d73edf2835ac08ab38d1bd9

SHA1
a833d7663f5edecc050b37b7efd1d563268ea0df

SHA256
0face1d1c4bdf8e8f16c7fe99e2a6150cd6f60dc20396214288a585f870f3e5f

SHA512
48fa5f3b545f470146fee34c87b7268eb09ca7944d8bfea9e9fa2a14f4f934ec3b91ae4d302f7248b797bd5e0562b8a567f5ca3bce241ea8c3493bbe3310bce2

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
104B

MD5
e3cc547bc462636d7516e67d38090691

SHA1
3257b4410be802437ca86b3d2e15b1f37dc731fb

SHA256
6500f9a3c9835b24a3440f223673a90e4dc12b9e58974b656b524657bb5e678f

SHA512
6f7cbd8af675ad68f6c887ca5f11109aa792950840a90aa8d576bf32c8dfa1970cb31b1e62831efdbceb35ea3901ba7240ed505e1b98afa0e32593d43e9ed511

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
260B

MD5
d3df5c4c3aed1b188503e63de76e8b16

SHA1
19c21b6ebc0625ef2d442b178fb75f18205f1400

SHA256
1d43926129fe6ca44dbffb9dd7fc9bb0b29f650975f89ca9180691794ce5be97

SHA512
bde9475294ee3c7cef46e165c2c4a1b62cf30c7f1e1f52ef522b9072b556ebbf178d0f9715f9b583b0de91d8f8fb8fdb5b6b94b7bcd92dec302af6648792b387

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
312B

MD5
c4b74ec86be49c96a7185fb1d09c2425

SHA1
88544a0d57970721ec1201b997647b731abd1fbf

SHA256
03b7f9365880ba34b42503ccc6e5b46c8a12e2865950fff2d46088223e660079

SHA512
c04cb6de2d5623de1aa36d31a697dfe38b1e079588251ec8ceaced8ca841a998b0075493f27ba3a62e0bc326cdd088c40a214d74f31b1dc3fbb2d2531fcc30ce

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
352B

MD5
dca8db7923815992f5a5c06a6d62a723

SHA1
51fd70ecbcb5733420909c41346a169b59efb196

SHA256
d192acf067b0f441b47d6052804a048685c46450e0355f547373d3b30dbeaef4

SHA512
dd2ac4e6b564c4c78f79e578d02add502ec5715f147a0be869937ce7dc174e047d2488ca1159669bed2fb906c2bed90a5a031bfc5c1931f9abff7009e6b284e6

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
404B

MD5
d5183790a7250f15c5a324438014eaf0

SHA1
7fe0129e095251df5431ccecff9b9277d68a340f

SHA256
ba9a1733be0103eea315e52ed330b70961272ca853dab358d1d248028069e38e

SHA512
207dc735cb38923554b7bc5e00ceda4a018a3f93bb779bce5864278af3f33695e1c27314f62f97372c08b70e5ced8f0097a4a3075483fbee71830cf994f9865e

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
508B

MD5
a72fcbf16c2050568709086b1724dd16

SHA1
0f7eabb71fa09777feaec2a8d1acc9552749a053

SHA256
b17798e7c04803d16a2fc00b330eb6c9a48bc0661dcde13ceb88b4a574f1d159

SHA512
4a1b0d9462fdea2d3aad77fb3178af84214d6f5cf7377460b96d9c837605534de93bc8f2f4e3ed5539d86868fa9e3bbf89ff6b04ee758e8380cfa9e6b9c35c62

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
560B

MD5
4dc0c1798b8a23bb47299615b7dba878

SHA1
4a14b0ba35d227576930c4be4b9d4f22851bf0c1

SHA256
63d7864853a27ef8098c91acdb61bd5f6a3ab67f1b4250b1211c21faf94c70e0

SHA512
d9bacce282db1edf3dbc281d40b476502bf8fbcc23659561ca52b08c90ec00ed8f3546c175fe052faf54728cbe59c77f79fa1a7f9ba78e6742c7c3e8178b1f14

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
904B

MD5
4cd689f9d8f3a7cffb1eb69b0fac7676

SHA1
0c424344dacfb576198bac8c99de9a68e2f0a7b8

SHA256
1e89516776b964100cac04cb03a75dee515e72b605856b5c912e33c312c468c1

SHA512
8cdbca25d02ca5cb1758fdf996a5568a9306dcee819564a10ec7c0976d2a86a32464b1d0f69a570c52a42eecce04bb2834689a259d6f4f3a00d7077a869929a7

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
964B

MD5
90a41eead1dac218c340c6890485be26

SHA1
c4ad4d34ae344d75582dd0b230f4bc6223e441b3

SHA256
103eade6ca8cdcc520c5921c0b2b2b7cf55b11f4f9517a8678201e04326fb4ae

SHA512
5a04f9697498e2871fab3092b92f83931539ac66a923c2765559c5d4d18c8634e01b30ad46cc48809da858069eac91e21f3bc3dc610b3e3bcf53a9c2f5fcbfc6

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
1024B

MD5
faf70de48e852161acf9a40e361421f8

SHA1
c59d90eda1a04938317c7aeb95b9df35153a6a08

SHA256
e2e9672582169b7a978f4ff4af3d77ed736dc029e3aa0e92f1fbcb2ccbdcfea9

SHA512
6bc0f8baf68f7cb98bbbb43432ff530492d483a1b3e903f51a89bfb5855af6dc960423218da0110a196f55141b34ec3d67bfa0ec64f80bf8f0098fe081524c52

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
1KB

MD5
16c8731993d3625bc4a6c98916b33a39

SHA1
ee4dd4d778023a1478b591820e371e4694f24dd1

SHA256
e05ea85ca6bb180146234d5fb6c30671b2745d78e5b8fb4b94d2cab341bd795a

SHA512
6fed4370a4ab9c93f227f74abafb14194d31ed6f680df4399a9b0e52b27d7df6b42b46a02a285e44d8c1f2c3e2c96c7dac19aff653fe2c3be494508fc3bb04e9

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
1KB

MD5
f962cb88aceb24cc635f7446acdd2435

SHA1
28851a1d981507a781e0ff7bef89a85af65cbbe6

SHA256
e26f6d5abf4dc8e8a7bf96c2592be519ef00f1b8959a4571416c3c667b733cf4

SHA512
bbe225820207baa7a349627e200e6d493751fa0ff1fe6d94c8340345245e494f2f56d3afea335b0575ce10965e1f27200e37931f7e46fd123b589e42b937b92c

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
1KB

MD5
7d9df56dbc8014c03b8e0982f9dee0e3

SHA1
6a6c0b49a3cebd9dd4ef4046967d830bfa665929

SHA256
13149b78b270ac189a72cbbf41c5d0e3c749fdb397d3d3b2940941c9057e15af

SHA512
2510487e917613eace2885b44f6e4c72b7f3277476da5b1c2ae8afb803f481bd555ab0b7eb81dedf6872ce57a18dd62d7939017f1d83f3d1dd3cec8385956ede

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
1KB

MD5
77c78026de044fdcba0c5bcff08d1c17

SHA1
26dd7ac35ba47613f9cc10f9d0e96fbd85d9f600

SHA256
14418719e4d4b3cab9072f3c868363d6c68dbc04a4b87aee6a2a8d2e434135d4

SHA512
030a544f42a043bd7d356d48b076e982a63daea1f04a2498113d70a1717dda337a90bf803a3959f2ad08aeab6aced467285a878eba5621e5e0be1d47257f0e2b

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
1KB

MD5
faadf020c82bcf73b7ed9b959fff6b04

SHA1
894f14bbfd482a6ef0cadfe67b498b0dcde002d3

SHA256
748d455f4c25a47e36e8831c2e2f0e93c04f02a4daa56f81530f3a72b87e229b

SHA512
f9ad778d7ffb22016487bfdec1d51db66089e52df201ce7056055341044dd512aec897aaf048d6b0231a2275776a5e231359f9e6a76969596f61b116cfd7163b

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
1KB

MD5
fc70b02a9a4a671ef6928343e395642e

SHA1
0252f7443cb9638cc73e6a7cea59c34f2611f4e1

SHA256
f90f8afdd916c0579e56d28054ddd80e5d6283ff1362e857f950fdf331b2a156

SHA512
b8cbb59e29b55a91692aee61fc2d2e4f6535223f5db024348ce66990a7c90576b4b7e1afd0cd8649a8338170cd7201fd32a65dee3a8bdff3972cdd1b5242eb57

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
1KB

MD5
bb521872e017b49c9a15f3302cae9ee0

SHA1
89dd727a40dcf2213d9dfaddf3820ab8c01f076b

SHA256
e764911236323f98a9432ae49f1b387fce6e364456072831be531797b84df133

SHA512
8fe7df63e5fea8d27924d7ae4fbe2bb056b778ee43e95f9ccdd206823f876e10ccaff767e59a44c96a956b6f95ce82a48a3062c9b840c04c74d278bf8fea8655

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
1KB

MD5
1b0fcbfe3099a4c50a374be14448893d

SHA1
6314f39232b7ae5dc0e19de7fa9eae99f4c934cb

SHA256
922c8742d2c78d37aa58d9b5b4b91741e2d4b60520a9ea8db810340602962525

SHA512
e1c0dbe28230b6375a05b51c63abb07ba3f13f2cf7a498e3fff8b17f9de6f0da5e1ed143e76c4ca4cde1247f01927e01bc658664f99ca9614eee4d7119844ef5

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
1KB

MD5
064bbd550d95d1798c36570a81a62ba5

SHA1
589cbf60c3d6b4c3b14772f77f6644d927f57345

SHA256
8394a8dc3a5bc6563f7078fd61eef01fe32250b999c43382c12fd91b1363c89f

SHA512
4383abcba6f97c3f4d547a73cee70ff46b11b01a92d819a1361beb23c7f01b19a6a00fbb33be61f481a5bd136138dbc927921ee1c148104690821f83f92eeefd

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
1KB

MD5
e32e8a6af03d64423fe57be0111db36d

SHA1
f0859bc704773f20d7fe9c9b0fe31e8e290b632a

SHA256
69102afe6fd50815d21cb4b903c23b9c7288f9aa79b389b5659ff2af5dda62b8

SHA512
9de00444886ac8eaafbfd0cd5c988575a2aa1b5eafcfedb161247ee44bf2db176839ea30cc12be78469a3ef297ccbe87686c703a703b00ffeb10536fb4dad5da

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
1KB

MD5
1df8833c09cb0f438d27bef656a41d35

SHA1
e5c3adc99c762ebc119d0d354cd5d00e18471713

SHA256
992adafe367a45d0fdaa60bcdeb33272696b834f9fe2890bb1ac7131d3162f56

SHA512
580cd1ac949498832aa13638de368d7c437ff0af5143acbf66d6d27933d27fa4e3d0b35afce49449100c86969fb40fbf7d61128e58b08d9552d6ed1d890a0d1b

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
1KB

MD5
57afe75a526eca34a13847f50577c766

SHA1
f07ebbae369d164ff3df04296956f8635cb8ae24

SHA256
7719d135e49b79579f350e5620fe93adc0b725b68446e18f368d2a8046ee6874

SHA512
ded3054f588d6053d86ca47111b0289356d366497d1deff037ee7214b527df84fe615e5210f1a6d29ec0bfcf7fe9867852f0d414c3ab426f2764e136a92ef875

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
1KB

MD5
73c64fc9d26b3e2afb998d947bc4c8fd

SHA1
74360293757e23abbcf411e12d370c5a9dbc1940

SHA256
7d4bb911cac6ad12f34a21592f448bc99b6fe9827314985cf0d6990bf12c99e9

SHA512
9a77fdb1f796a0c5fc4cfe304714d2a3609189895b875145781ff1609b8050a6f6ed459da393031d3ca2e3e51d58210c957482727f7062cab581f801d93844ce

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
2KB

MD5
d0553cc7dddd2d86937b09f648e7b7f1

SHA1
d6f88f0db683d4afe6b92e78a6e287e8ba4bd4b6

SHA256
6975f15568f952061a2562a25edba6282cef72309f9b0b92e1a958d9762fed3a

SHA512
a49e45c15678cf80c53c5686575241071b54f3516a79f8ede7f7872947652e0080b17556445971ea26e121dca8ebfcbc5758f3304e96411011c4a81327ddaf49

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
2KB

MD5
bb42023ee38adedfff6ec463960ccc8a

SHA1
e25d2ef6a0ea4cb79460a42ab87179ae7fa0ff52

SHA256
2b10298bc4b6217cba63a4f1d7ebfd6bd51a611c41c3b99d8931c87804a5d3eb

SHA512
574e4928e65cc90b4c75ad931dca99bb043bcb20b277b57b7f38946b9ef0a313c8b1a5b0e38bce1f4dc57cbc2162e594ebdf95d764a40364621bcdc37a7e5294

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
2KB

MD5
002def4295123985bbc115beba6a5a9b

SHA1
129775c5e28577076efe96145e348122591aca96

SHA256
c4c0e284b60e386fa381cb1af64054baff069cdf78e582da67b7fe4c661c969e

SHA512
2c17551ac250cfc55426394baaece4a33bb208d2fb77145e41db0c548fcd22ca4c88b0ce11d53bdaaa693fd070df91e94d36c48e474477429a870417bd103efd

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
2KB

MD5
dabf179a22ec8fbde5448230ec5a2863

SHA1
25e7d24415ef3be9e0b57dd66fe5ce40327b6b59

SHA256
51cb0874e9e7599fb012398a66df26a048b0dedb24c36e776da862080a4d6d23

SHA512
74f817c93fdb70496e4dd85b2da44fcce020bb905a1f0450e73f4654e042089e06da1247d550edbbaf6fda62e30bd2e8ddbb5cb86c0104c5a15ecd93f3280c96

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
2KB

MD5
5b7e7c7bf9c416943fc0bedb2925a8e1

SHA1
f56f2c2aeecc770e9c0f6c93a1310f1a644a5904

SHA256
3d84133dcfc78e023772560a6786ca0ae89237e1cec62770381518a474e2dabd

SHA512
b506d659c07a9089c55988edea36f3c03ee447c98fea99f6c125911a31c9e337aa4b2dccbe6f79253f5c38832115e3822298040e4944ece721b920f0601c94b7

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
2KB

MD5
618e8ed0d9ec245b5beca96823b7d6a4

SHA1
a94eb662408e5a4a3d1b1c3c00c37a3ecb05d01a

SHA256
b421f4d6d09d7b5add21dc768aaeca85a2c989afd4b91dbf51ce586a55443f50

SHA512
c827a5e791a300b477352e2ad6518b5a33c076fcfa7542c151a6791155eaa4718a7aba42ae6fb034e67c87e8f402b6f103a26ccf0f1fb8786c79bec76196855c

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
2KB

MD5
4c3acda2a37d785d2d810c304298a33b

SHA1
46d368c56e6f27d2c559a03b3d3f51712142fffc

SHA256
21896c9e70642986ccdcaf1c719b7321fb45d52f77c7b50b212ead2856510563

SHA512
93cfc7282006a9eabd67939bc9d1d74e8e29a0a591c93aa3235a923c1ff5003c5710ceb81d30615e91b6b2f6fb4ba10949f14091c80d6df3e2a343ee50994dd8

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
2KB

MD5
9171daee66702583a3aa78369825999d

SHA1
2d1d65434844878cc3e4190f27cafd4f1255830a

SHA256
f981f92785405733acf2ef55d2bdfc215a503e5628ff99ca45634d1db9a93180

SHA512
04aa3347cbd7ce6251404f836725293ff9ed4d855e959e9f678d2d38d17f8a7ae64137539bac6493dde8a3cca3a6a5e18e1e2636809e38bf6a9873121b1ea48f

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
2KB

MD5
0d75f73e6e6d02289b264b58b80d2814

SHA1
edfe7f8baed9e2bdbdede9699487638c7bccd334

SHA256
ca15402364c1a75e34fc340cff04d851ca024575ba3492753a2befde26a8b1b1

SHA512
2327c9b019ed1f368373f3a3d7903e76c192101eec7d1e57f6f5cee980fc345dda83a631034cfdf2d930d114ba7521c858192d803c5b148fe315b9a7ac8d09bc

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
2KB

MD5
ff25bf89491d42cab8c26fe6e20ef431

SHA1
dee6e8d5351b7992d1c8c07e1d252ee6ca3a2a2d

SHA256
13058418de85c9d89ef8cbe22d76e4164c5979c1599b115ce7ab02cc93402fa3

SHA512
358475467cc875ab917fe8202449d0332f0e3ff88ebebd28a4c113b1bd19943e4fd3d6d4611110addc51b73f41f0c57b359a13c343a04454d36a59f99bab507f

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
2KB

MD5
f751a791ed732612d6e550ea3080f147

SHA1
dc227db293022f983e72359e8fbee115c3c3c0ca

SHA256
eb852d4157346933b046bf861ef4b8a7e66b830a989d60ab21911c86ad6f7b50

SHA512
ef7817c55d13e640d1fec3883d53810b6c610edc8a4abfae6a71eeab123b6a0f929d38584a46551378363cd3170c1104bf0e9d9803341f882e3f8d3ca5628880

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
2KB

MD5
880b5fc536302e65d075702d673d4290

SHA1
ea40256f8a41b240eec82cd36c762fab4f1216ce

SHA256
f2090e7be0867c52df98970551423e872cc309d547715affcb9a01a9c9477cbe

SHA512
aad41ceef57b65377484864001ec6bcf3404b6b2cab184622a11e018408c640ab4fc17ada74e7dedff158d00d27c14684aa81d575f5b65350bada308a4c35c76

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
2KB

MD5
6f6e2c6daf5de82bda5730c84f8c14b3

SHA1
9017a5094202db7d27a0eb12219f6f4fab64a790

SHA256
eec186a60dddb5a32672cfadba19778904cd92a426908acf04e45e16ab121e83

SHA512
2ce4eb3b542ef383bc6423c6aae35f41cd6694ca1d4287bc480d10fbbd88b00fe81efd4637743c4c48bd0e68c644a77cde3c7e8aa918d82c06e827fb92f62c50

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
3KB

MD5
270642ea2facbb718ab3b666dcf1ee8f

SHA1
900d6373ca4de321abff5ff141ab04adcbf7308a

SHA256
e0a73c47375b4db266b538185e585acfac9c2b62abf32d698b1b1767b4b102d7

SHA512
be2f4d23d6b198f68484e6876e1c809823d057964f8229ace570b81f04f45f8da682dcf2a558ded413a075bf4ef24cf80aba5757362e16c8757b9a0af5b36372

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Process.txt

Filesize
4KB

MD5
bb9793045d418bb126e3fda72caefdb7

SHA1
7e14224b6971fdd87c872201e592f3483160c806

SHA256
dca9ecb69e014c03a170b2c365d22472564ce6a1fa1546167732df55935155f6

SHA512
c83924cd6a08e2670ae23324e5b29b0ed7cb0baf030560a332c1d0ad7eb484423431355797493de6120d56a47f40a82b151c70e87a0ba3033b45200ffae22ca5

Download Submit
C:\Users\Admin\AppData\Local\GUMLNLFE\Screen.png

Filesize
55KB

MD5
5ef42b3ce4bb710db68c114e67701c3d

SHA1
08da058959293b0ab9a15fd0d6dbff949db74164

SHA256
100076807f93dde3e327584080f10cfd4b3876f76d8296d0f1d14444ad8edb36

SHA512
ffae6a3c63a9de39e71d544e800ff4c4a8012c56c5528b30c3197278f5f21e0fac0fe57ee75f84eebe5bf71961ccab67d7bcee6ec8d98cf116ede8c029e5d187

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_LocalwCsRGYdPHX.exe

Filesize
320KB

MD5
f71e90cbe5a122796864f70feba51a50

SHA1
b63521622fbd176baddf513e2eb191f655880bca

SHA256
8bd6fcaf589fc2aa0724dbee715075119547480ed155025a10da750e8f07dc8a

SHA512
001e5b02b5f28b2e9d8cff0baedbd5c21aa6da19f41629037438d39dcfdb6b1322c50571cb7a8fade72ed284d411919a6db319120c1d127df8488de95f7fd12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC875E00

Filesize
21KB

MD5
5217b89b6e1db166fa1809a7d75edf9a

SHA1
c7efc7f678402aa2958e4ec6276d103d7364fe1f

SHA256
73f206935c63cd3b6a68de3383ac81c4aff2b0539061dbf6540007382be0872d

SHA512
3a9a4303bdcd41eee79aefe78564762560a639c3dd6d7d7470dd6dd85a3e3fbaafea2bb399fc080916432a193fc59b122a73e0418f202b328772905fe30ed02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbTsh3HJ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
48a487bd3544c6fb62a830c256dc7699

SHA1
31b692f6973298aa7d19ad1b42de00e2cc5d9053

SHA256
96f59d96ad8f469b549fab4ef1794e9db70987ca0aa915fd0eb7381302f8c2df

SHA512
62c2910a3f10f7dfb0b54b952662a7e85e5cd5cdb9e81725b3e27750e70cf16542a4a5520b73e74b2554a1ab205fb84ca3c402383f5d3a91ef99cdb25e1a76e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B2E.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8CE4.tmp.dat

Filesize
114KB

MD5
a1eeb9d95adbb08fa316226b55e4f278

SHA1
b36e8529ac3f2907750b4fea7037b147fe1061a6

SHA256
2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7

SHA512
f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9071.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\LocalwCsRGYdPHX.exe

Filesize
1.0MB

MD5
c78e19b1b79ef2cbed3428f6d055a217

SHA1
34e1cca94e8a5dfee7825951e8d7d103fe24a94a

SHA256
f906668bf46889d0a78b4d207ae34a6442b4c98b23055cac9a0715e671ca6b31

SHA512
e0828b3c2e2e060ef79855de7bb3bf297ba1590b6f08784ad85cd19c090e84d5a50893a1d89a70aea13d48f7896b62d048447e7eb40a23ae8309f5207642470a

Download Submit
memory/512-244-0x00007FF9EE8F0000-0x00007FF9EE900000-memory.dmp

Filesize
64KB

Download
memory/512-245-0x00007FF9EBF90000-0x00007FF9EBFA0000-memory.dmp

Filesize
64KB

Download
memory/512-246-0x00007FF9EBF90000-0x00007FF9EBFA0000-memory.dmp

Filesize
64KB

Download
memory/512-241-0x00007FF9EE8F0000-0x00007FF9EE900000-memory.dmp

Filesize
64KB

Download
memory/512-232-0x00007FF9EE8F0000-0x00007FF9EE900000-memory.dmp

Filesize
64KB

Download
memory/512-233-0x00007FF9EE8F0000-0x00007FF9EE900000-memory.dmp

Filesize
64KB

Download
memory/512-234-0x00007FF9EE8F0000-0x00007FF9EE900000-memory.dmp

Filesize
64KB

Download
memory/1100-1-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

Filesize
9.6MB

Download
memory/1100-0-0x00007FFA10695000-0x00007FFA10696000-memory.dmp

Filesize
4KB

Download
memory/1100-3-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

Filesize
9.6MB

Download
memory/1100-15-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

Filesize
9.6MB

Download
memory/1360-262-0x0000000006460000-0x00000000064C6000-memory.dmp

Filesize
408KB

Download
memory/1360-252-0x0000000005F70000-0x0000000006002000-memory.dmp

Filesize
584KB

Download
memory/1360-258-0x00000000065C0000-0x0000000006B64000-memory.dmp

Filesize
5.6MB

Download
memory/1360-145-0x0000000000270000-0x00000000002C6000-memory.dmp

Filesize
344KB

Download
memory/1704-642-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1704-804-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/3528-16-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3528-144-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/3636-759-0x0000000009CA0000-0x0000000009F4B000-memory.dmp

Filesize
2.7MB

Download