stormkitty | 877bbfa93204729a4a260fede9c76318d4f7e58a38f6ba5073424f94829ed536

Resubmissions

13-01-2025 01:19

250113-bpjmya1nbj 3

12-01-2025 11:10

250112-m91bzasmbp 10

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

5.8MB
MD5

618cb93c3c997388af8524158c86bfeb
SHA1

fa1d990888cddd1ce2f42de85362127bfb4e3a63
SHA256

51f784375bfd11aa1c2d3d8ba38ba59682f5f54e09c0ebb3d5d67c33d1012259
SHA512

407fbf24f34a7810452136d678570d8ad0bd68640d7ff4df8bcf0c7d7bcd1621482bc4d47c1fb8ef0aa4540cb885024ae6055c359d9d70ecf10887be1113c80c
SSDEEP

98304:rDjJgdhBZTv0sGVD+Oq7j3JQ9oQSqEac8JgZSeC3FSDsa7V578kXHoujwCl1um:3jJuBtGVD+OoUq8+SZ1hAVpRRjw6Q

Score

10^/10

stormkitty xred backdoor collection discovery macro persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 63 IoCs

resource	yara_rule
behavioral3/files/0x000b000000012282-7.dat	family_stormkitty
behavioral3/files/0x003600000001706d-20.dat	family_stormkitty
behavioral3/memory/2764-39-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2720-40-0x0000000000DC0000-0x0000000000E16000-memory.dmp	family_stormkitty
behavioral3/memory/2204-58-0x0000000000D80000-0x0000000000DD6000-memory.dmp	family_stormkitty
behavioral3/memory/2968-142-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2728-260-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2892-342-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/1532-529-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/1248-532-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2844-545-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2564-557-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2396-568-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2956-575-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2732-582-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/1248-583-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2164-590-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2096-643-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/3000-733-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/752-768-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2704-825-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2440-832-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2852-839-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2988-846-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2408-853-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2904-861-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2812-868-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2348-897-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/668-898-0x0000000001390000-0x00000000013E6000-memory.dmp	family_stormkitty
behavioral3/memory/3056-982-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2060-1026-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2208-1074-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2860-1081-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2548-1088-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/1952-1095-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/1740-1104-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/1044-1132-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2844-1146-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/1556-1175-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/3064-1176-0x0000000000290000-0x00000000002E6000-memory.dmp	family_stormkitty
behavioral3/memory/2356-1260-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/1248-1261-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2752-1321-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2880-1352-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/1796-1359-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/1788-1366-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/768-1374-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2076-1381-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2184-1388-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2664-1395-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2424-1424-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2556-1425-0x00000000000D0000-0x0000000000126000-memory.dmp	family_stormkitty
behavioral3/memory/3068-1510-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2360-1552-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/1912-1601-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/692-1608-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/1608-1616-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/3040-1623-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/3044-1630-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2344-1637-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2280-1644-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral3/memory/2908-1675-0x00000000009F0000-0x0000000000A46000-memory.dmp	family_stormkitty
behavioral3/memory/1288-1924-0x0000000000BC0000-0x0000000000C16000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral3/files/0x000600000001a58e-165.dat

Executes dropped EXE 64 IoCs

pid	Process
2764	Client.exe
2720	._cache_Client.exe
1248	Synaptics.exe
2204	._cache_Synaptics.exe
2968	Client.exe
356	._cache_Client.exe
2728	Client.exe
744	._cache_Client.exe
2892	Client.exe
2088	._cache_Client.exe
1532	Client.exe
484	._cache_Client.exe
2844	Client.exe
2704	._cache_Client.exe
2564	Client.exe
2596	._cache_Client.exe
2396	Client.exe
2964	._cache_Client.exe
2956	Client.exe
2104	._cache_Client.exe
2732	Client.exe
1524	._cache_Client.exe
2164	Client.exe
752	._cache_Client.exe
2096	Client.exe
2664	._cache_Client.exe
3000	Client.exe
1640	._cache_Client.exe
752	Client.exe
2624	._cache_Client.exe
2704	Client.exe
3004	._cache_Client.exe
2440	Client.exe
1716	._cache_Client.exe
2852	Client.exe
2540	._cache_Client.exe
2988	Client.exe
2716	._cache_Client.exe
2408	Client.exe
2164	._cache_Client.exe
2904	Client.exe
2748	._cache_Client.exe
2812	Client.exe
2200	._cache_Client.exe
2348	Client.exe
668	._cache_Client.exe
3056	Client.exe
768	._cache_Client.exe
2060	Client.exe
2280	._cache_Client.exe
2208	Client.exe
1288	._cache_Client.exe
2860	Client.exe
1128	._cache_Client.exe
2548	Client.exe
1368	._cache_Client.exe
1952	Client.exe
604	._cache_Client.exe
1740	Client.exe
2916	._cache_Client.exe
1044	Client.exe
1276	._cache_Client.exe
2844	Client.exe
2620	._cache_Client.exe

Loads dropped DLL 64 IoCs

pid	Process
2764	Client.exe
2764	Client.exe
2764	Client.exe
2764	Client.exe
1248	Synaptics.exe
1248	Synaptics.exe
2968	Client.exe
2968	Client.exe
2968	Client.exe
2728	Client.exe
2728	Client.exe
2728	Client.exe
2892	Client.exe
2892	Client.exe
2892	Client.exe
1532	Client.exe
1532	Client.exe
1532	Client.exe
2844	Client.exe
2844	Client.exe
2844	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2396	Client.exe
2396	Client.exe
2396	Client.exe
2956	Client.exe
2956	Client.exe
2956	Client.exe
2732	Client.exe
2732	Client.exe
2732	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2096	Client.exe
2096	Client.exe
2096	Client.exe
3000	Client.exe
3000	Client.exe
3000	Client.exe
752	Client.exe
752	Client.exe
752	Client.exe
2704	Client.exe
2704	Client.exe
2704	Client.exe
2440	Client.exe
2440	Client.exe
2440	Client.exe
2852	Client.exe
2852	Client.exe
2852	Client.exe
2988	Client.exe
2988	Client.exe
2988	Client.exe
2408	Client.exe
2408	Client.exe
2408	Client.exe
2904	Client.exe
2904	Client.exe
2904	Client.exe
2812	Client.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 24 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Client.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 32 IoCs

description	ioc	Process
File created	C:\ProgramData\ZQABOPWE\FileGrabber\Pictures\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Desktop\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\ZQABOPWE\FileGrabber\Desktop\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Desktop\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Pictures\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Desktop\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Desktop\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\ZQABOPWE\FileGrabber\Downloads\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Documents\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Downloads\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Downloads\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Pictures\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Pictures\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Documents\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Desktop\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Documents\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Documents\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Desktop\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Downloads\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Pictures\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Downloads\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Documents\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Documents\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Pictures\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Documents\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\ZQABOPWE\FileGrabber\Documents\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Downloads\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Pictures\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Desktop\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Downloads\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Downloads\desktop.ini	._cache_Client.exe

Looks up external IP address via web service 40 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
80	api.ipify.org
82	api.ipify.org
146	api.ipify.org
167	api.ipify.org
35	api.ipify.org
67	api.ipify.org
36	api.ipify.org
68	api.ipify.org
97	freegeoip.app
107	api.ipify.org
9	freegeoip.app
33	api.ipify.org
44	api.ipify.org
70	freegeoip.app
43	api.ipify.org
65	api.ipify.org
111	api.ipify.org
163	api.ipify.org
13	freegeoip.app
37	ip-api.com
83	api.ipify.org
123	api.ipify.org
7	freegeoip.app
46	api.ipify.org
110	api.ipify.org
134	api.ipify.org
153	freegeoip.app
166	api.ipify.org
16	freegeoip.app
38	ip-api.com
164	ip-api.com
34	api.ipify.org
136	freegeoip.app
108	ip-api.com
113	freegeoip.app
133	api.ipify.org
148	api.ipify.org
149	api.ipify.org
45	api.ipify.org
55	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Client.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
752	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2720	._cache_Client.exe
2720	._cache_Client.exe
2720	._cache_Client.exe
2204	._cache_Synaptics.exe
2204	._cache_Synaptics.exe
2204	._cache_Synaptics.exe
356	._cache_Client.exe
356	._cache_Client.exe
2720	._cache_Client.exe
2204	._cache_Synaptics.exe
744	._cache_Client.exe
744	._cache_Client.exe
2204	._cache_Synaptics.exe
2204	._cache_Synaptics.exe
2720	._cache_Client.exe
2720	._cache_Client.exe
2204	._cache_Synaptics.exe
2204	._cache_Synaptics.exe
2204	._cache_Synaptics.exe
2204	._cache_Synaptics.exe
2720	._cache_Client.exe
2720	._cache_Client.exe
2088	._cache_Client.exe
2088	._cache_Client.exe
484	._cache_Client.exe
484	._cache_Client.exe
2704	._cache_Client.exe
2704	._cache_Client.exe
2596	._cache_Client.exe
2596	._cache_Client.exe
2964	._cache_Client.exe
2964	._cache_Client.exe
2104	._cache_Client.exe
2104	._cache_Client.exe
1524	._cache_Client.exe
1524	._cache_Client.exe
752	._cache_Client.exe
752	._cache_Client.exe
2664	._cache_Client.exe
2664	._cache_Client.exe
2664	._cache_Client.exe
2664	._cache_Client.exe
2664	._cache_Client.exe
2664	._cache_Client.exe
1640	._cache_Client.exe
1640	._cache_Client.exe
2624	._cache_Client.exe
2624	._cache_Client.exe
3004	._cache_Client.exe
3004	._cache_Client.exe
1716	._cache_Client.exe
1716	._cache_Client.exe
2540	._cache_Client.exe
2540	._cache_Client.exe
2716	._cache_Client.exe
2716	._cache_Client.exe
2164	._cache_Client.exe
2164	._cache_Client.exe
2748	._cache_Client.exe
2748	._cache_Client.exe
2200	._cache_Client.exe
2200	._cache_Client.exe
668	._cache_Client.exe
668	._cache_Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	._cache_Client.exe
Token: SeDebugPrivilege	2204	._cache_Synaptics.exe
Token: SeDebugPrivilege	356	._cache_Client.exe
Token: SeDebugPrivilege	744	._cache_Client.exe
Token: SeDebugPrivilege	2088	._cache_Client.exe
Token: SeDebugPrivilege	484	._cache_Client.exe
Token: SeDebugPrivilege	2704	._cache_Client.exe
Token: SeDebugPrivilege	2596	._cache_Client.exe
Token: SeDebugPrivilege	2964	._cache_Client.exe
Token: SeDebugPrivilege	2104	._cache_Client.exe
Token: SeDebugPrivilege	1524	._cache_Client.exe
Token: SeDebugPrivilege	752	._cache_Client.exe
Token: SeDebugPrivilege	2664	._cache_Client.exe
Token: SeDebugPrivilege	1640	._cache_Client.exe
Token: SeDebugPrivilege	2624	._cache_Client.exe
Token: SeDebugPrivilege	3004	._cache_Client.exe
Token: SeDebugPrivilege	1716	._cache_Client.exe
Token: SeDebugPrivilege	2540	._cache_Client.exe
Token: SeDebugPrivilege	2716	._cache_Client.exe
Token: SeDebugPrivilege	2164	._cache_Client.exe
Token: SeDebugPrivilege	2748	._cache_Client.exe
Token: SeDebugPrivilege	2200	._cache_Client.exe
Token: SeDebugPrivilege	668	._cache_Client.exe
Token: SeDebugPrivilege	768	._cache_Client.exe
Token: SeDebugPrivilege	2280	._cache_Client.exe
Token: SeDebugPrivilege	1288	._cache_Client.exe
Token: SeDebugPrivilege	1128	._cache_Client.exe
Token: SeDebugPrivilege	1368	._cache_Client.exe
Token: SeDebugPrivilege	604	._cache_Client.exe
Token: SeDebugPrivilege	2916	._cache_Client.exe
Token: SeDebugPrivilege	1276	._cache_Client.exe
Token: SeDebugPrivilege	2620	._cache_Client.exe
Token: SeDebugPrivilege	3064	._cache_Client.exe
Token: SeDebugPrivilege	2520	._cache_Client.exe
Token: SeDebugPrivilege	2808	._cache_Client.exe
Token: SeDebugPrivilege	2956	._cache_Client.exe
Token: SeDebugPrivilege	556	._cache_Client.exe
Token: SeDebugPrivilege	2080	._cache_Client.exe
Token: SeDebugPrivilege	3068	._cache_Client.exe
Token: SeDebugPrivilege	2120	._cache_Client.exe
Token: SeDebugPrivilege	2912	._cache_Client.exe
Token: SeDebugPrivilege	2348	._cache_Client.exe
Token: SeDebugPrivilege	2556	._cache_Client.exe
Token: SeDebugPrivilege	1460	._cache_Client.exe
Token: SeDebugPrivilege	872	._cache_Client.exe
Token: SeDebugPrivilege	1556	._cache_Client.exe
Token: SeDebugPrivilege	1796	._cache_Client.exe
Token: SeDebugPrivilege	2616	._cache_Client.exe
Token: SeDebugPrivilege	916	._cache_Client.exe
Token: SeDebugPrivilege	2472	._cache_Client.exe
Token: SeDebugPrivilege	2184	._cache_Client.exe
Token: SeDebugPrivilege	2276	._cache_Client.exe
Token: SeDebugPrivilege	2908	._cache_Client.exe
Token: SeDebugPrivilege	2680	._cache_Client.exe
Token: SeDebugPrivilege	2280	._cache_Client.exe
Token: SeDebugPrivilege	3028	._cache_Client.exe
Token: SeDebugPrivilege	2084	._cache_Client.exe
Token: SeDebugPrivilege	2528	._cache_Client.exe
Token: SeDebugPrivilege	2256	._cache_Client.exe
Token: SeDebugPrivilege	2640	._cache_Client.exe
Token: SeDebugPrivilege	2920	._cache_Client.exe
Token: SeDebugPrivilege	304	._cache_Client.exe
Token: SeDebugPrivilege	1288	._cache_Client.exe
Token: SeDebugPrivilege	1928	._cache_Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
752	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2764	2364	loader.exe	30
PID 2364 wrote to memory of 2764	2364	loader.exe	30
PID 2364 wrote to memory of 2764	2364	loader.exe	30
PID 2364 wrote to memory of 2764	2364	loader.exe	30
PID 2364 wrote to memory of 2108	2364	loader.exe	31
PID 2364 wrote to memory of 2108	2364	loader.exe	31
PID 2364 wrote to memory of 2108	2364	loader.exe	31
PID 2764 wrote to memory of 2720	2764	Client.exe	32
PID 2764 wrote to memory of 2720	2764	Client.exe	32
PID 2764 wrote to memory of 2720	2764	Client.exe	32
PID 2764 wrote to memory of 2720	2764	Client.exe	32
PID 2764 wrote to memory of 1248	2764	Client.exe	33
PID 2764 wrote to memory of 1248	2764	Client.exe	33
PID 2764 wrote to memory of 1248	2764	Client.exe	33
PID 2764 wrote to memory of 1248	2764	Client.exe	33
PID 1248 wrote to memory of 2204	1248	Synaptics.exe	34
PID 1248 wrote to memory of 2204	1248	Synaptics.exe	34
PID 1248 wrote to memory of 2204	1248	Synaptics.exe	34
PID 1248 wrote to memory of 2204	1248	Synaptics.exe	34
PID 2108 wrote to memory of 2968	2108	loader.exe	36
PID 2108 wrote to memory of 2968	2108	loader.exe	36
PID 2108 wrote to memory of 2968	2108	loader.exe	36
PID 2108 wrote to memory of 2968	2108	loader.exe	36
PID 2108 wrote to memory of 1600	2108	loader.exe	37
PID 2108 wrote to memory of 1600	2108	loader.exe	37
PID 2108 wrote to memory of 1600	2108	loader.exe	37
PID 2968 wrote to memory of 356	2968	Client.exe	38
PID 2968 wrote to memory of 356	2968	Client.exe	38
PID 2968 wrote to memory of 356	2968	Client.exe	38
PID 2968 wrote to memory of 356	2968	Client.exe	38
PID 1600 wrote to memory of 2728	1600	loader.exe	40
PID 1600 wrote to memory of 2728	1600	loader.exe	40
PID 1600 wrote to memory of 2728	1600	loader.exe	40
PID 1600 wrote to memory of 2728	1600	loader.exe	40
PID 1600 wrote to memory of 2560	1600	loader.exe	41
PID 1600 wrote to memory of 2560	1600	loader.exe	41
PID 1600 wrote to memory of 2560	1600	loader.exe	41
PID 2728 wrote to memory of 744	2728	Client.exe	42
PID 2728 wrote to memory of 744	2728	Client.exe	42
PID 2728 wrote to memory of 744	2728	Client.exe	42
PID 2728 wrote to memory of 744	2728	Client.exe	42
PID 2560 wrote to memory of 2892	2560	loader.exe	44
PID 2560 wrote to memory of 2892	2560	loader.exe	44
PID 2560 wrote to memory of 2892	2560	loader.exe	44
PID 2560 wrote to memory of 2892	2560	loader.exe	44
PID 2560 wrote to memory of 688	2560	loader.exe	45
PID 2560 wrote to memory of 688	2560	loader.exe	45
PID 2560 wrote to memory of 688	2560	loader.exe	45
PID 2892 wrote to memory of 2088	2892	Client.exe	46
PID 2892 wrote to memory of 2088	2892	Client.exe	46
PID 2892 wrote to memory of 2088	2892	Client.exe	46
PID 2892 wrote to memory of 2088	2892	Client.exe	46
PID 688 wrote to memory of 1532	688	loader.exe	47
PID 688 wrote to memory of 1532	688	loader.exe	47
PID 688 wrote to memory of 1532	688	loader.exe	47
PID 688 wrote to memory of 1532	688	loader.exe	47
PID 688 wrote to memory of 2472	688	loader.exe	48
PID 688 wrote to memory of 2472	688	loader.exe	48
PID 688 wrote to memory of 2472	688	loader.exe	48
PID 1532 wrote to memory of 484	1532	Client.exe	50
PID 1532 wrote to memory of 484	1532	Client.exe	50
PID 1532 wrote to memory of 484	1532	Client.exe	50
PID 1532 wrote to memory of 484	1532	Client.exe	50
PID 2472 wrote to memory of 2844	2472	loader.exe	51

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Drops desktop.ini file(s)
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2204
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:356
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:688
      - C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        14⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        14⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        15⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        16⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        17⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        18⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        19⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        20⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        21⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        22⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        24⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        23⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        24⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        24⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        25⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        26⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        27⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        27⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        28⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        29⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        29⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        30⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        31⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        31⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        32⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        34⤵
        Accesses Microsoft Outlook profiles
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        33⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        34⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        35⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        34⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        35⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        36⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        38⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        37⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        38⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        39⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        38⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        39⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        40⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        39⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        40⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        42⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        41⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        42⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        43⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        42⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        43⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        44⤵
        Accesses Microsoft Outlook profiles
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        43⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        44⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        45⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        46⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        45⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        46⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        47⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        46⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        47⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        48⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        47⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        48⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        49⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        48⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        50⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        49⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        51⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        50⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        52⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        51⤵
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        52⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        53⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        52⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        53⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        54⤵
        Accesses Microsoft Outlook profiles
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        53⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        54⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        55⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        54⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        55⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        56⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        55⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        57⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        56⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        58⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        57⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        59⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        58⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        60⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        59⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        60⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        61⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        60⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        61⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        62⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        61⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        62⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        63⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        62⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        64⤵
        Accesses Microsoft Outlook profiles
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        63⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        64⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        65⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        64⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        65⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        66⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        65⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        67⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        66⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        67⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        68⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        67⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        68⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        68⤵
        
        PID:496

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ZQABOPWE\Process.txt

Filesize
52B

MD5
7768ef076c726711492a1e3cc8138f96

SHA1
d3f76d80db286c4c72a23a9ea1a46caabe59fa36

SHA256
1a8701472f4642cee6af3d7b2be3be94bbf08b9e77726d34da21a45412e0b0e4

SHA512
13f8b3c4508696ecd9637b848617f54f18a04c1025c23efcfe605758599554e31d0c1e808afa6e17eb23d5383e7c43a8ed794bad3cb6023db0d817cdec6a644e

Download Submit
C:\ProgramData\ZQABOPWE\Process.txt

Filesize
104B

MD5
e3cc547bc462636d7516e67d38090691

SHA1
3257b4410be802437ca86b3d2e15b1f37dc731fb

SHA256
6500f9a3c9835b24a3440f223673a90e4dc12b9e58974b656b524657bb5e678f

SHA512
6f7cbd8af675ad68f6c887ca5f11109aa792950840a90aa8d576bf32c8dfa1970cb31b1e62831efdbceb35ea3901ba7240ed505e1b98afa0e32593d43e9ed511

Download Submit
C:\ProgramData\ZQABOPWE\Process.txt

Filesize
156B

MD5
2425b1c170d17adb81a07b4ab6e4db55

SHA1
0d43a1aad97845f465ffa14d72120fc26a61a7e0

SHA256
0a7d3519f2b0710097bde003608fa836459907d50c990567e2a9bf8cb6cee8b2

SHA512
3780926cc050aefa89e645a5dc574fb4b18cd3b77710daa6bf497b3fea915180bf53d05bd2ddbdfc0150bc362c95543fd11dd5f363c7b12e42ed0b867ee846a6

Download Submit
C:\ProgramData\ZQABOPWE\Process.txt

Filesize
206B

MD5
a50c527a6ae0e9d2eebdd81e4869fe00

SHA1
b342e2a5080b5182a8865b027ce8b219e95def61

SHA256
829bc6be876902743143be0bc29e8972faa7efe85055d60fd11898305fbb3f9e

SHA512
ca398580bc951f39abcdac747aa8553e1872c3f9dd2f04b12bd920db5b3cea81bbbf0a2acce6e55401e0986dadf55a0f63f3a07e38370f04b26274fd94b8f0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe

Filesize
320KB

MD5
bfe9dbc7a3596dbf6cf1a00d9aeabeef

SHA1
4de4f8a1f99258eb712878e42d6fbfa1c146602b

SHA256
c0842614ad00bab2d4e3f3150625e4f23fe49a14dcdaa8ce59a89ecb51c71568

SHA512
d0408a26d0a75861d442da9336dc442bf5b5ae02a4f414c005208019376d13a04b98502429be0733dfaeb710a1768dee78a5aa80723355bb903bc330a7f143c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
1.0MB

MD5
f59defd75d4bbda8e242a3adb53130c0

SHA1
2478bd05a1bf6f7da139eb9d7c00ed1b618c1eb0

SHA256
66171a1b4eed84cd153d7b45a978520a57153abf55c607a911645ea1c16156d5

SHA512
b2d28e9e1a5f66f37f132ff929d3f0dc4957b7d42dc7a46b7e5cd029c8df2fa75c0daeff12f94971e872b008ae88aa2eb959c99409f4db6364950dacd9e37d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\hBvYkWAY.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\hBvYkWAY.xlsm

Filesize
22KB

MD5
ce0aff47d4da5db3d4c3ccc9435cef0e

SHA1
dae2feb75358760bc5280f5a247d9c6af615b640

SHA256
87ce64d6f1acf29a8d75f76e6990af41171c713e219c9fa9ec22cfc5b469702e

SHA512
d1f902daea7edfa56a856d347347218b37aa56768c6309b81b7eef3f93f11619717bba1ea1dd063382992f56a0f27437ef0884b07b9e17bc38027d3c130f50fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hBvYkWAY.xlsm

Filesize
26KB

MD5
1427f5b632a706164dc6778dffb0603d

SHA1
6b883dd3fce319917571d4a089b1a89072736703

SHA256
851c6c991e8f2a42f373d2a419e45c315cd35d12e0127f753bb61e69f947001b

SHA512
2aa213ac8c5c3b8f03f3063c85c0431ad64ff393778f74412d465d0009fbcd5c01cb0880c248e5fc191dbb7d923de4da0855267b61cb865f2c4478596a52de05

Download Submit
C:\Users\Admin\AppData\Local\Temp\hBvYkWAY.xlsm

Filesize
28KB

MD5
8383b2f69ceefc26845c18da28411fac

SHA1
b719884e4c58846da4aaf13ea85e5dd4e3b49c46

SHA256
2f8b911e629d342eaa4749fa575de5127e9c93151e7faf9cda818d1d087539a1

SHA512
c6d76027cf1226bdbbfbe70d7f2280603d62b14253de5a961ac35a72279bd6b6c023d867214790cdffff799d48b37f56d0a25e2af97a12c1ef892ae3f943231f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hBvYkWAY.xlsm

Filesize
25KB

MD5
fd8e78ff4ab2b3bb9aa8375f4361c2cd

SHA1
89abcadafac0297801950461d305421807ae7f12

SHA256
8a1d948475dc07f5addc0873ce65987a05b985113d8c32ffe7d0412590da2da0

SHA512
82e15ec14229ad849039b9dc7c219e02a2fb196373914f509633d3bbd6f79b69cb7103ab9a4d370329d98b4185e0825fcc522a29ce29086e66971c13d24693cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hBvYkWAY.xlsm

Filesize
25KB

MD5
4487e4ecfb2d153621c2926a40ac2ec6

SHA1
7635e33914dd2b3f55feb4eaf51669ed6bc5f5a1

SHA256
abded1815ea381dde77fcfc940e6c16e5f2f06cc580d2401a015d666455285b8

SHA512
091e4d104bdfb02ded63d3d84caedbfcde547e9e3e4a8463c516314675e591b2e37c729162bc229c4616e89deb4561bb32527e879fef8f25fa8abb8e43a7d534

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
ae61a66d83f1da2e7095f4d550732fbd

SHA1
4ba3a2f43a47fec552cf1e9e35bb33ab2e60bf02

SHA256
2ef56f7d5a10e6545354978628a06584d9b535bd9f382f524abaf80fa28bab15

SHA512
a6a2ab88312e1ff90e4563049041739eda748d22fe82422886647f9819d1430eef71ea737291b0f6a1bb268c0ef6814bcdebdf100b51816482f5171b1e0a690a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3410.tmp.dat

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp345F.tmp.dat

Filesize
92KB

MD5
6093b9b9effe107a1958b5e8775d196a

SHA1
f86ede48007734aebe75f41954ea1ef64924b05e

SHA256
a10b04d057393f5974c776ed253909cafcd014752a57da2971ae0dddfa889ab0

SHA512
2d9c20a201655ffcce71bfafa71b79fe08eb8aa02b5666588302608f6a14126a5a1f4213a963eb528514e2ea2b17871c4c5f9b5ef89c1940c40c0718ec367a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85F3.tmp.dat

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85F4.tmp.dat

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Desktop\DisconnectWait.xlsx

Filesize
11KB

MD5
7471826d22b3acdfc0eb2d488c90718b

SHA1
4916bf3fc766a86754f8c15a7017641fa4a9026f

SHA256
1157f58f22909e4a548490fef2be5cd0ae6d769dabde9157eaed09abc0e8f427

SHA512
484daef63a5c37564a714fffde57ab65df23ddc595c7c6b7f489a7f54d403a1e69be3ce56e0e9b0d21d31d2f47f0e0e95e64202f5dacb11b4aece675869bc3cc

Download Submit
C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Desktop\ProtectShow.png

Filesize
931KB

MD5
840322ab001dd0c58e9e87859fb66f61

SHA1
c5d16b7fb7c817dfd328729791971b29d604e087

SHA256
25f28329c582d4acb7e9cbca07bbf307a6aa6e2dc7eb2f0c0794f3e6939a8d41

SHA512
983c2d646e2ddf62fc13bb65ca6a42b0e8788f418b29d840ed8e0397e7d9d0d4a2966ed0ed6f34ca319b6de39c4005fc61fe80c5e6031e0e1e8aa743117fac97

Download Submit
C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Desktop\RevokeSkip.png

Filesize
680KB

MD5
5bfcc888a45a1dbef0bafb4f7d133af0

SHA1
cec43c26f02bbc16a307d5afc8d413a38a18f25a

SHA256
4a036abcb0c3d212b5d65b3feebbe673d3e43478b10449dc7349456723bfe3b4

SHA512
cae641bccfa7de10179a185ed9f791efa64f01aa7088b5ee1a173a34b94b7de557c08e0c8325728c49d47380f3953fb11876ce4232db8f2daff9faf98290346c

Download Submit
C:\Users\Admin\AppData\Local\ZQABOPWE\FileGrabber\Documents\ConvertInitialize.docx

Filesize
930KB

MD5
f4337d4751b747b11ea3e3df3677bb43

SHA1
9e3c66938cc14206a3f40061a25609c4772dcff6

SHA256
567bd69908a6c79cf2225657bd93a7ef657eb9ab182fcd5d400314b8302989d6

SHA512
dcff8800eda4a5281cc91a91372f9510371d073c6c30e516705e89433147d4ec1f025ceb2a86c4f8605f6b3108306b440459a16d32b7be2de5a9de5e64dd9d67

Download Submit
C:\Users\Admin\AppData\Local\ZQABOPWE\Process.txt

Filesize
224B

MD5
55ff310cf035e199de2c8e600157873b

SHA1
02552897234aa28f6e64984ccdc4a93e3ca77c11

SHA256
7f63c3b433b15eb88e2584c879f938538489b394c6114a04175cc3b5fbc50d59

SHA512
d527b532fed2a54fc3e156bce1f00a93cabac92f97dee4835256e3dc9cf74e003ccae6f85c2b5859eca7306b770267945d8bd6291f0d0eb3b54d3cef181c5048

Download Submit
C:\Users\Admin\AppData\Local\ZQABOPWE\Process.txt

Filesize
276B

MD5
cd7d5004a60d0c14e232dee96e4bcc70

SHA1
17c525a256f88dc22466ce1024eec74bc0fc873e

SHA256
035d13c5a325356aca39c045a9642facc6f533247d8258b3f11b1afae65acf0e

SHA512
a9b43ec69435bef4ec28b4d2cefb212be6ba04225fea60af3482df1dc6d57dad8475695ce1c9ff82bf70baa01ddce9fa9bfc62c06ddfd30b9f238f25c8c522c1

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\Browsers\Outlook\Outlook.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Desktop\CompleteConvert.docx

Filesize
14KB

MD5
e5fee3807c86400ff1168538f5a65085

SHA1
448a8aa42ac13d27cdfef230e211f15f1c8ef678

SHA256
95f5e126a6f902ce41bd40ec54025b663dcd0e4d5a4491e49495c028ae311f37

SHA512
bfa9c264a4ccf37a2908ab775a166f9cbb79daca632815c8a6dbd1c3dab6f7dfc644dd3313a6e16501335193c7aba6f25450292cd271a789e9b2fdd54b276d58

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Documents\LimitUnblock.pptx

Filesize
686KB

MD5
ab01fd41a45c519193db7f8057455253

SHA1
5b9c24c59bf6e5dbb21509427a4cde39e41c5502

SHA256
aa7a689142ad090f1d4a1cfde16c8afcd54cb4daa9fcab9350ea7590652ebdfc

SHA512
bc9b7c3d4faab064f3a0d44d94638701be1bb9d4cb0b43d996dacbd9c4abe879788ee821d7cf9d631bfc77cf5d7af104f8fa25e8a90b5c205c27e532ebd0536a

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Downloads\EditRestore.rtf

Filesize
276KB

MD5
e5cc4815e7b94bdd970cef670ae077e8

SHA1
1dde37988ebff2517ea04503afa17f19fbba6c39

SHA256
dec11b19b59a28d7b37d05533cf996c9919e3379bc870e789727c0a386484813

SHA512
4b14f2616dea3167e2c9dff8dbaabb0a5eb34490caad66935033a018e62da2c395ddbd43a98e852e8f7ce9e2f6dd0a09776f4d5b3b42a20a01d14591fbc27743

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Downloads\InstallBlock.js

Filesize
297KB

MD5
dfdd4a9975b10ade4b317199a9811e45

SHA1
5728880c5c360117c376595e9e00768c8a7a3a5a

SHA256
74a679bc8145c26ff6b020d2c075c3492a71ffc8d1ba7ef93a9544c32691526e

SHA512
538296e0b28a8b2b13b7643a16e6ac5a70b8039459375e0f4d54e8aef4443dccaddbfa35be3264bd591fa2c7c08d93911a9dfee14250a73b17165c0eb72b264d

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Downloads\JoinRestore.php

Filesize
141KB

MD5
5f3c7be8b63ad1819f415e5e28cc38eb

SHA1
e51d9d87cf79a0738cec9dd4715d8b89ae8ff765

SHA256
700f825b1752d92cbb242d9367eea9681ccc9b45f6eb83ec4df47b0dd0e3ba2e

SHA512
27e2c2bc0ae25ad1234caa11e8795ee61290fd64b0787444eaf38636c1dc42d4cc1d93e2ce6598daf873374b244939849856606741e03ca81381b2a43bf95970

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Downloads\JoinStop.docx

Filesize
177KB

MD5
c572ed52a1329e14da48a76ef4d4d0da

SHA1
ebf484b6e7dcee2958ecba24ee28417bfa162b91

SHA256
68c93def84c22392bebc975cd1a332f22981c50b069b93250915e130f915593b

SHA512
2d2e5e15e23d900d35f4783e0eb189110970199fb211c6a41e07493318d403ff392cf296e6e773715741a6d064b6bd4255cb743f31b1ec94d37d74ff01ec48e4

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Pictures\BackupDebug.jpeg

Filesize
360KB

MD5
a99efab4bb0db6fd8f6464dcafacff38

SHA1
7ac94ea23ac5d7ae5854b02378675e6bea6199c4

SHA256
383782cc6bda78d1b78427b8336460c2d2b645e12c2f4c51cb3767e790b6b52e

SHA512
3bd6c0b9afdf070b2e60241533c3b20fbb0daae2965e5f100612bc1391643d5615465559c8ae6fb002cd0a6b12cd43b40103caa5084bd95f0d382f99df378e89

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Pictures\FormatOut.jpeg

Filesize
1.1MB

MD5
67c8c7cbb860fcb8fecb1301815b86a5

SHA1
962ef7ffad6adc3ecbd7d10cec5822b4074c40df

SHA256
3e129291893ded43f8f519d5e96a92c55059ace532dfbba30df355b214d5c95e

SHA512
5c4ca7717c0063ae9dbbc15a85c6a9d73853520a0c2e3d7a4e43aa9d4b49270a27bb9f8ec20123bd542c43bb62f726836b8c92fc6a3c8b300d3057bef6b905ef

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\FileGrabber\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\InstalledSoftware.txt

Filesize
1KB

MD5
196da0a1f32dbc89b3b8ba0f391f8c48

SHA1
f0ff637fb76443adad85bfa1b929dd4280d0170c

SHA256
6d9ebf86f570df9b344ad896c4ebec1ee61ae4074c6dc9bfb3fffb7c1b59c9ef

SHA512
b3f34fdca34021a40e2cf42fa806aec7d92c9b870a782a6268d7ae0115ba33d7bf444c8cfcd0f6537da2a448ea51c37b4d1fe5f020cc2e86b4e0850bde850706

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\Process.txt

Filesize
1KB

MD5
45a564480314b4f14c0ebe4d2a852a78

SHA1
f361876b7876bcfc930ef4fabb4f2c05f0620778

SHA256
7cd63897af64ae5490767479596c99399ae3d1f3496c2fdceff5baa562029b50

SHA512
349b1846aa915572549c58fb1661c683dcfe733c42314cc6448f5898502fa39bccf431ea6f4034d74741440dbcda01f6a035995975c2c71b2610730dba899797

Download Submit
C:\Users\Admin\AppData\Roaming\ZQABOPWE\Screen.png

Filesize
384KB

MD5
9203c6b2fa3f00bef10775180febabfc

SHA1
8638aaf4e2a2af41d0532550fdc21b503eaef530

SHA256
c65d3c3bc9f06a2fad70629a81bed1fa6cbb280eb9aa0c36949024e358b1a8d4

SHA512
6257fc9c1de9aef6cdbb2c465ae5ef6879c7b33b12fbdd22e09a0172ce6de3150f5a7fba90fa2728ddf47f274365d82927e47ea812ce1de3d79ef4519b645222

Download Submit
C:\Users\Admin\Desktop\~$OpenOut.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/668-898-0x0000000001390000-0x00000000013E6000-memory.dmp

Filesize
344KB

Download
memory/692-1608-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/752-768-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/752-204-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/752-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/768-1374-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1044-1132-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1248-1261-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1248-583-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1248-532-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1288-1924-0x0000000000BC0000-0x0000000000C16000-memory.dmp

Filesize
344KB

Download
memory/1532-529-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1556-1175-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1608-1616-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1740-1104-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1788-1366-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1796-1359-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1912-1601-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1952-1095-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2060-1026-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2076-1381-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2096-643-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2164-590-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2184-1388-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2204-58-0x0000000000D80000-0x0000000000DD6000-memory.dmp

Filesize
344KB

Download
memory/2208-1074-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2280-1644-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2344-1637-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2348-897-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2356-1260-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2360-1552-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2364-1-0x0000000000D90000-0x0000000001370000-memory.dmp

Filesize
5.9MB

Download
memory/2364-4-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-13-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/2396-568-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2408-853-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2424-1424-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2440-832-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2548-1088-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2556-1425-0x00000000000D0000-0x0000000000126000-memory.dmp

Filesize
344KB

Download
memory/2564-557-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2664-1395-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2704-825-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2720-40-0x0000000000DC0000-0x0000000000E16000-memory.dmp

Filesize
344KB

Download
memory/2728-260-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2732-582-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2752-1321-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2764-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2764-39-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2812-868-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2844-1146-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2844-545-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2852-839-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2860-1081-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2880-1352-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2892-342-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2904-861-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2908-1675-0x00000000009F0000-0x0000000000A46000-memory.dmp

Filesize
344KB

Download
memory/2956-575-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2968-142-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2988-846-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3000-733-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3040-1623-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3044-1630-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3056-982-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3064-1176-0x0000000000290000-0x00000000002E6000-memory.dmp

Filesize
344KB

Download
memory/3068-1510-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download