stormkitty | 877bbfa93204729a4a260fede9c76318d4f7e58a38f6ba5073424f94829ed536

Resubmissions

13-01-2025 01:19

250113-bpjmya1nbj 3

12-01-2025 11:10

250112-m91bzasmbp 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

5.8MB
MD5

618cb93c3c997388af8524158c86bfeb
SHA1

fa1d990888cddd1ce2f42de85362127bfb4e3a63
SHA256

51f784375bfd11aa1c2d3d8ba38ba59682f5f54e09c0ebb3d5d67c33d1012259
SHA512

407fbf24f34a7810452136d678570d8ad0bd68640d7ff4df8bcf0c7d7bcd1621482bc4d47c1fb8ef0aa4540cb885024ae6055c359d9d70ecf10887be1113c80c
SSDEEP

98304:rDjJgdhBZTv0sGVD+Oq7j3JQ9oQSqEac8JgZSeC3FSDsa7V578kXHoujwCl1um:3jJuBtGVD+OoUq8+SZ1hAVpRRjw6Q

Score

10^/10

stormkitty xred backdoor collection discovery persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 52 IoCs

resource	yara_rule
behavioral4/files/0x000b000000023b6f-6.dat	family_stormkitty
behavioral4/files/0x000a000000023b85-24.dat	family_stormkitty
behavioral4/memory/3092-146-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/1060-147-0x0000000000D70000-0x0000000000DC6000-memory.dmp	family_stormkitty
behavioral4/memory/1092-338-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/556-500-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/3212-620-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/3800-639-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/1712-640-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/1640-872-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/1836-889-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/2944-904-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/2448-919-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/4128-935-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/4324-946-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/2308-956-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/3564-966-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/1288-1040-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/4588-1123-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/3204-1171-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/2980-1215-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/5036-1239-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/2716-1351-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/1536-1362-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/640-1372-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/4324-1382-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/4952-1393-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/1108-1403-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/4168-1413-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/1100-1423-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/1468-1465-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/3040-1551-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/384-1630-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/4908-1672-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/1712-1675-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/556-1684-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/628-1796-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/2060-1806-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/3548-1816-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/4492-1826-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/1520-1837-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/5076-1847-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/1560-1857-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/4928-1867-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/3044-1907-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/2252-1994-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/1372-2055-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/3884-2092-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/4388-2104-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/2172-2216-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/3304-2226-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty
behavioral4/memory/2208-2236-0x0000000000400000-0x0000000000512000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 64 IoCs

pid	Process
3092	Client.exe
1060	._cache_Client.exe
1712	Synaptics.exe
4288	._cache_Synaptics.exe
1092	Client.exe
676	._cache_Client.exe
556	Client.exe
1648	._cache_Client.exe
3212	Client.exe
2276	._cache_Client.exe
3800	Client.exe
808	._cache_Client.exe
1640	Client.exe
4896	._cache_Client.exe
1836	Client.exe
3088	._cache_Client.exe
2944	Client.exe
3356	._cache_Client.exe
2448	Client.exe
1484	._cache_Client.exe
4128	Client.exe
1656	._cache_Client.exe
4324	Client.exe
344	._cache_Client.exe
2308	Client.exe
840	._cache_Client.exe
3564	Client.exe
1596	._cache_Client.exe
1288	Client.exe
2180	._cache_Client.exe
4588	Client.exe
3356	._cache_Client.exe
3204	Client.exe
3364	._cache_Client.exe
2980	Client.exe
440	._cache_Client.exe
5036	Client.exe
3804	._cache_Client.exe
2716	Client.exe
4936	._cache_Client.exe
1536	Client.exe
3064	._cache_Client.exe
640	Client.exe
4636	._cache_Client.exe
4324	Client.exe
4460	._cache_Client.exe
4952	Client.exe
1540	._cache_Client.exe
1108	Client.exe
4804	._cache_Client.exe
4168	Client.exe
4656	._cache_Client.exe
1100	Client.exe
1648	._cache_Client.exe
1468	Client.exe
1836	._cache_Client.exe
3040	Client.exe
3508	._cache_Client.exe
384	Client.exe
1288	._cache_Client.exe
4908	Client.exe
636	._cache_Client.exe
556	Client.exe
3976	._cache_Client.exe

Loads dropped DLL 64 IoCs

pid	Process
1092	Client.exe
1092	Client.exe
556	Client.exe
556	Client.exe
3212	Client.exe
3212	Client.exe
3800	Client.exe
3800	Client.exe
1640	Client.exe
1640	Client.exe
1836	Client.exe
1836	Client.exe
2944	Client.exe
2944	Client.exe
2448	Client.exe
2448	Client.exe
4128	Client.exe
4128	Client.exe
4324	Client.exe
4324	Client.exe
2308	Client.exe
2308	Client.exe
3564	Client.exe
3564	Client.exe
1288	Client.exe
1288	Client.exe
4588	Client.exe
4588	Client.exe
3204	Client.exe
3204	Client.exe
2980	Client.exe
2980	Client.exe
5036	Client.exe
5036	Client.exe
2716	Client.exe
2716	Client.exe
1536	Client.exe
1536	Client.exe
640	Client.exe
640	Client.exe
4324	Client.exe
4324	Client.exe
4952	Client.exe
4952	Client.exe
1108	Client.exe
1108	Client.exe
4168	Client.exe
4168	Client.exe
1100	Client.exe
1100	Client.exe
1468	Client.exe
1468	Client.exe
3040	Client.exe
3040	Client.exe
384	Client.exe
384	Client.exe
4908	Client.exe
4908	Client.exe
556	Client.exe
556	Client.exe
628	Client.exe
628	Client.exe
2060	Client.exe
2060	Client.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Client.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 36 IoCs

description	ioc	Process
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Documents\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Desktop\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Roaming\HGNBWBGW\FileGrabber\Documents\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Downloads\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Pictures\Saved Pictures\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\HGNBWBGW\FileGrabber\Desktop\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\HGNBWBGW\FileGrabber\Downloads\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Documents\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Downloads\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Roaming\HGNBWBGW\FileGrabber\Pictures\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Documents\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Pictures\Camera Roll\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Pictures\Saved Pictures\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Downloads\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\HGNBWBGW\FileGrabber\Downloads\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\HGNBWBGW\FileGrabber\Pictures\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\HGNBWBGW\FileGrabber\Pictures\Saved Pictures\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Documents\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Pictures\Saved Pictures\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Pictures\Camera Roll\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Pictures\Saved Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Roaming\HGNBWBGW\FileGrabber\Desktop\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Desktop\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Pictures\Camera Roll\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Roaming\HGNBWBGW\FileGrabber\Pictures\Saved Pictures\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\HGNBWBGW\FileGrabber\Documents\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Pictures\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\HGNBWBGW\FileGrabber\Pictures\Camera Roll\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Desktop\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Roaming\HGNBWBGW\FileGrabber\Pictures\Camera Roll\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Downloads\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Pictures\Camera Roll\desktop.ini	._cache_Client.exe
File created	C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Pictures\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Pictures\desktop.ini	._cache_Client.exe
File created	C:\ProgramData\HGNBWBGW\FileGrabber\Desktop\desktop.ini	._cache_Client.exe

Looks up external IP address via web service 17 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
152	ip-api.com
62	api.ipify.org
64	api.ipify.org
115	api.ipify.org
120	freegeoip.app
177	freegeoip.app
192	api.ipify.org
193	ip-api.com
14	freegeoip.app
102	freegeoip.app
151	api.ipify.org
17	freegeoip.app
65	ip-api.com
158	freegeoip.app
173	api.ipify.org
21	freegeoip.app
63	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Client.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Client.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2220	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1060	._cache_Client.exe
1060	._cache_Client.exe
1060	._cache_Client.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
1060	._cache_Client.exe
4288	._cache_Synaptics.exe
676	._cache_Client.exe
676	._cache_Client.exe
1060	._cache_Client.exe
1060	._cache_Client.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
1060	._cache_Client.exe
1060	._cache_Client.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
1060	._cache_Client.exe
1060	._cache_Client.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
1060	._cache_Client.exe
1060	._cache_Client.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
1060	._cache_Client.exe
1060	._cache_Client.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
1648	._cache_Client.exe
1648	._cache_Client.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
1060	._cache_Client.exe
1060	._cache_Client.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
1060	._cache_Client.exe
1060	._cache_Client.exe
1060	._cache_Client.exe
1060	._cache_Client.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
1060	._cache_Client.exe
1060	._cache_Client.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
1060	._cache_Client.exe
1060	._cache_Client.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
1060	._cache_Client.exe
1060	._cache_Client.exe
4288	._cache_Synaptics.exe
4288	._cache_Synaptics.exe
1060	._cache_Client.exe
1060	._cache_Client.exe
2276	._cache_Client.exe
2276	._cache_Client.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	._cache_Client.exe
Token: SeDebugPrivilege	4288	._cache_Synaptics.exe
Token: SeDebugPrivilege	676	._cache_Client.exe
Token: SeDebugPrivilege	1648	._cache_Client.exe
Token: SeDebugPrivilege	2276	._cache_Client.exe
Token: SeDebugPrivilege	808	._cache_Client.exe
Token: SeDebugPrivilege	4896	._cache_Client.exe
Token: SeDebugPrivilege	3088	._cache_Client.exe
Token: SeDebugPrivilege	3356	._cache_Client.exe
Token: SeDebugPrivilege	1484	._cache_Client.exe
Token: SeDebugPrivilege	1656	._cache_Client.exe
Token: SeDebugPrivilege	344	._cache_Client.exe
Token: SeDebugPrivilege	840	._cache_Client.exe
Token: SeDebugPrivilege	1596	._cache_Client.exe
Token: SeDebugPrivilege	2180	._cache_Client.exe
Token: SeDebugPrivilege	3356	._cache_Client.exe
Token: SeDebugPrivilege	3364	._cache_Client.exe
Token: SeDebugPrivilege	440	._cache_Client.exe
Token: SeDebugPrivilege	3804	._cache_Client.exe
Token: SeDebugPrivilege	4936	._cache_Client.exe
Token: SeDebugPrivilege	3064	._cache_Client.exe
Token: SeDebugPrivilege	4636	._cache_Client.exe
Token: SeDebugPrivilege	4460	._cache_Client.exe
Token: SeDebugPrivilege	1540	._cache_Client.exe
Token: SeDebugPrivilege	4804	._cache_Client.exe
Token: SeDebugPrivilege	4656	._cache_Client.exe
Token: SeDebugPrivilege	1648	._cache_Client.exe
Token: SeDebugPrivilege	1836	._cache_Client.exe
Token: SeDebugPrivilege	3508	._cache_Client.exe
Token: SeDebugPrivilege	1288	._cache_Client.exe
Token: SeDebugPrivilege	636	._cache_Client.exe
Token: SeDebugPrivilege	3976	._cache_Client.exe
Token: SeDebugPrivilege	2276	._cache_Client.exe
Token: SeDebugPrivilege	3456	._cache_Client.exe
Token: SeDebugPrivilege	1776	._cache_Client.exe
Token: SeDebugPrivilege	1064	._cache_Client.exe
Token: SeDebugPrivilege	468	._cache_Client.exe
Token: SeDebugPrivilege	3304	._cache_Client.exe
Token: SeDebugPrivilege	2428	._cache_Client.exe
Token: SeDebugPrivilege	384	._cache_Client.exe
Token: SeDebugPrivilege	452	._cache_Client.exe
Token: SeDebugPrivilege	1960	._cache_Client.exe
Token: SeDebugPrivilege	5092	._cache_Client.exe
Token: SeDebugPrivilege	3720	._cache_Client.exe
Token: SeDebugPrivilege	1536	._cache_Client.exe
Token: SeDebugPrivilege	648	._cache_Client.exe
Token: SeDebugPrivilege	4624	._cache_Client.exe
Token: SeDebugPrivilege	2840	._cache_Client.exe
Token: SeDebugPrivilege	2860	._cache_Client.exe
Token: SeDebugPrivilege	3872	._cache_Client.exe
Token: SeDebugPrivilege	1832	._cache_Client.exe
Token: SeDebugPrivilege	2088	._cache_Client.exe
Token: SeDebugPrivilege	5072	._cache_Client.exe
Token: SeDebugPrivilege	5060	._cache_Client.exe
Token: SeDebugPrivilege	4920	._cache_Client.exe
Token: SeDebugPrivilege	216	._cache_Client.exe
Token: SeDebugPrivilege	1340	._cache_Client.exe
Token: SeDebugPrivilege	2632	._cache_Client.exe
Token: SeDebugPrivilege	4984	._cache_Client.exe
Token: SeDebugPrivilege	1832	._cache_Client.exe
Token: SeDebugPrivilege	4028	._cache_Client.exe
Token: SeDebugPrivilege	1340	._cache_Client.exe
Token: SeDebugPrivilege	3204	._cache_Client.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2220	EXCEL.EXE
2220	EXCEL.EXE
2220	EXCEL.EXE
2220	EXCEL.EXE
2220	EXCEL.EXE
2220	EXCEL.EXE
2220	EXCEL.EXE
2220	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3092	4944	loader.exe	82
PID 4944 wrote to memory of 3092	4944	loader.exe	82
PID 4944 wrote to memory of 3092	4944	loader.exe	82
PID 4944 wrote to memory of 4744	4944	loader.exe	83
PID 4944 wrote to memory of 4744	4944	loader.exe	83
PID 3092 wrote to memory of 1060	3092	Client.exe	84
PID 3092 wrote to memory of 1060	3092	Client.exe	84
PID 3092 wrote to memory of 1060	3092	Client.exe	84
PID 3092 wrote to memory of 1712	3092	Client.exe	85
PID 3092 wrote to memory of 1712	3092	Client.exe	85
PID 3092 wrote to memory of 1712	3092	Client.exe	85
PID 1712 wrote to memory of 4288	1712	Synaptics.exe	86
PID 1712 wrote to memory of 4288	1712	Synaptics.exe	86
PID 1712 wrote to memory of 4288	1712	Synaptics.exe	86
PID 4744 wrote to memory of 1092	4744	loader.exe	88
PID 4744 wrote to memory of 1092	4744	loader.exe	88
PID 4744 wrote to memory of 1092	4744	loader.exe	88
PID 4744 wrote to memory of 1876	4744	loader.exe	89
PID 4744 wrote to memory of 1876	4744	loader.exe	89
PID 1092 wrote to memory of 676	1092	Client.exe	91
PID 1092 wrote to memory of 676	1092	Client.exe	91
PID 1092 wrote to memory of 676	1092	Client.exe	91
PID 1876 wrote to memory of 556	1876	loader.exe	95
PID 1876 wrote to memory of 556	1876	loader.exe	95
PID 1876 wrote to memory of 556	1876	loader.exe	95
PID 1876 wrote to memory of 3968	1876	loader.exe	96
PID 1876 wrote to memory of 3968	1876	loader.exe	96
PID 556 wrote to memory of 1648	556	Client.exe	97
PID 556 wrote to memory of 1648	556	Client.exe	97
PID 556 wrote to memory of 1648	556	Client.exe	97
PID 3968 wrote to memory of 3212	3968	loader.exe	98
PID 3968 wrote to memory of 3212	3968	loader.exe	98
PID 3968 wrote to memory of 3212	3968	loader.exe	98
PID 3968 wrote to memory of 4664	3968	loader.exe	99
PID 3968 wrote to memory of 4664	3968	loader.exe	99
PID 3212 wrote to memory of 2276	3212	Client.exe	100
PID 3212 wrote to memory of 2276	3212	Client.exe	100
PID 3212 wrote to memory of 2276	3212	Client.exe	100
PID 4664 wrote to memory of 3800	4664	loader.exe	101
PID 4664 wrote to memory of 3800	4664	loader.exe	101
PID 4664 wrote to memory of 3800	4664	loader.exe	101
PID 4664 wrote to memory of 4632	4664	loader.exe	102
PID 4664 wrote to memory of 4632	4664	loader.exe	102
PID 3800 wrote to memory of 808	3800	Client.exe	103
PID 3800 wrote to memory of 808	3800	Client.exe	103
PID 3800 wrote to memory of 808	3800	Client.exe	103
PID 4632 wrote to memory of 1640	4632	loader.exe	104
PID 4632 wrote to memory of 1640	4632	loader.exe	104
PID 4632 wrote to memory of 1640	4632	loader.exe	104
PID 4632 wrote to memory of 1180	4632	loader.exe	105
PID 4632 wrote to memory of 1180	4632	loader.exe	105
PID 1640 wrote to memory of 4896	1640	Client.exe	106
PID 1640 wrote to memory of 4896	1640	Client.exe	106
PID 1640 wrote to memory of 4896	1640	Client.exe	106
PID 1180 wrote to memory of 1836	1180	loader.exe	110
PID 1180 wrote to memory of 1836	1180	loader.exe	110
PID 1180 wrote to memory of 1836	1180	loader.exe	110
PID 1180 wrote to memory of 1280	1180	loader.exe	111
PID 1180 wrote to memory of 1280	1180	loader.exe	111
PID 1836 wrote to memory of 3088	1836	Client.exe	112
PID 1836 wrote to memory of 3088	1836	Client.exe	112
PID 1836 wrote to memory of 3088	1836	Client.exe	112
PID 1280 wrote to memory of 2944	1280	loader.exe	114
PID 1280 wrote to memory of 2944	1280	loader.exe	114

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Client.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4288
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:676
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
      - C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4664
      - C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        Checks computer location settings
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        14⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        16⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        15⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        16⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        17⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        18⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        19⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        20⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        21⤵
        Checks computer location settings
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        22⤵
        Checks computer location settings
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        23⤵
        Checks computer location settings
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        24⤵
        Checks computer location settings
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        25⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        26⤵
        Checks computer location settings
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        27⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        29⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        28⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        29⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        30⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        31⤵
        Checks computer location settings
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        32⤵
        Checks computer location settings
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        33⤵
        Checks computer location settings
        Loads dropped DLL
        Modifies registry class
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        33⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        34⤵
        Checks computer location settings
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        35⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        36⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        35⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        36⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        37⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        36⤵
        Checks computer location settings
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        37⤵
        Modifies registry class
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        38⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        37⤵
        Checks computer location settings
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        38⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        39⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        38⤵
        Checks computer location settings
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        39⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        40⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        39⤵
        Checks computer location settings
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        40⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        40⤵
        Checks computer location settings
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        41⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        42⤵
        Accesses Microsoft Outlook profiles
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        41⤵
        Checks computer location settings
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        42⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        43⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        42⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        43⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        44⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        43⤵
        Checks computer location settings
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        44⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        44⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        45⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        46⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        45⤵
        Checks computer location settings
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        46⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        47⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        46⤵
        Checks computer location settings
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        47⤵
        Modifies registry class
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        48⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        47⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        48⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        48⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        49⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        50⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        49⤵
        Checks computer location settings
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        50⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        51⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        50⤵
        Checks computer location settings
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        51⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        52⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        51⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        52⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        53⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        52⤵
        Checks computer location settings
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        53⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        54⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        53⤵
        Checks computer location settings
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        54⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        55⤵
        Accesses Microsoft Outlook profiles
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        54⤵
        Checks computer location settings
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        55⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        56⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        55⤵
        Checks computer location settings
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        56⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        57⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        56⤵
        Checks computer location settings
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        57⤵
        Modifies registry class
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        58⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        57⤵
        Checks computer location settings
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        58⤵
        Checks computer location settings
        Modifies registry class
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        59⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        58⤵
        Checks computer location settings
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        59⤵
        Modifies registry class
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        60⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        59⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        60⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        61⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        60⤵
        Checks computer location settings
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        61⤵
        Modifies registry class
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        62⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        61⤵
        Checks computer location settings
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        62⤵
        Checks computer location settings
        Modifies registry class
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        63⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        62⤵
        Checks computer location settings
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        63⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        64⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        63⤵
        Checks computer location settings
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        64⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe"
        65⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        64⤵
        
        PID:1372

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HGNBWBGW\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\HGNBWBGW\Browsers\Outlook\Outlook.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\ProgramData\HGNBWBGW\FileGrabber\Desktop\SelectGroup.jpg

Filesize
319KB

MD5
84644b3300c15cb16f4298db06d7da11

SHA1
e0ffc0600d391b2b30f97e381404aa943af3ab7d

SHA256
e12be0cf3d141ca7fa7ab341d17a9085c2b4f6218e2d16d24620a72643ed1f26

SHA512
4a2b5db1475f2c32c6e687979bed34dce81f8958253c5b3d23faf49b491c322c2d21a1f91723220e215f372a0ad34d260c085c79ae1a0c7fcd1efc036be81c30

Download Submit
C:\ProgramData\HGNBWBGW\FileGrabber\Desktop\UnlockConvertTo.html

Filesize
265KB

MD5
a20acd78d59f485aca82d1a0e554f96a

SHA1
e39eea7de9d7c8d58a569b1e6aaffdd6c7315e3a

SHA256
99c472233c0ddb385b6b12d427380af4124445b8a2983bfb70cda56d2613f51b

SHA512
974d72e9f855b3f280709221fa1d8fd2a18eb7e2c4470edf933f4a0b7988c034e5ea9437040eccd34ab03316f35433d55b7d6a209e95bcafca8da038dc756197

Download Submit
C:\ProgramData\HGNBWBGW\FileGrabber\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\ProgramData\HGNBWBGW\FileGrabber\Documents\LimitSwitch.xlsx

Filesize
10KB

MD5
21d8c9d7eb948181a84859a771723895

SHA1
bcdc0589bb8b03af446f125aed57be2296e56e26

SHA256
5139b85b95a7b7efe15b0178757c831db8a2df50836468342be3fd4a7de37c0f

SHA512
b4f2f329ecb36febf0b0ff70078583d9769d795e1b6279fec71e7d3a96e366011f271f0c54449bf8a149759d79c70d67de15219a4ede24b3449ab9e4642d21fd

Download Submit
C:\ProgramData\HGNBWBGW\FileGrabber\Documents\RequestUse.ppt

Filesize
472KB

MD5
706357753ff5c56392dcfab73e3751f6

SHA1
d54493e94d5f7e0458047b88cee921b668cf4e1b

SHA256
5ca662cccfbba384652451f90cec7d1cb28f1e4e0ed80dde650d2c0c13991be3

SHA512
6fea1f627e8e2fcea861a35053a89b090e8cace12fc15e525988decff96ab66f71c357f21fb2eb01d87c107fcab3e8adf9d206c4077d054f22eb418c3d92be7a

Download Submit
C:\ProgramData\HGNBWBGW\FileGrabber\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\ProgramData\HGNBWBGW\FileGrabber\Downloads\AssertMount.css

Filesize
618KB

MD5
822be403b80c8806d6939d8c904ce519

SHA1
7d9050a47910bb404c271e818c9f2355a71958b3

SHA256
37a174a0853261c0ea7ab95e05d88301227ec1fcaea4e134c24af58244f49845

SHA512
a5ac57cf20d9acf218d926fbc50e3074f91fe095891e3f18f348908f08a6fa8b8ee205c3ea991cc78cb5dd2d2a5737a589a21aa1c23b94a06b66f685184436dc

Download Submit
C:\ProgramData\HGNBWBGW\FileGrabber\Downloads\ResizeUnblock.xlsx

Filesize
1.1MB

MD5
a3bfd55293108aff6c71dff0235b6d90

SHA1
90f142b9f6e0a13536d61e1ff71fc89cdf6496ea

SHA256
cd008dab90e90cddbce08ef057e9ebbb587a490d6364c28ac217259a0cad42f2

SHA512
c54b65823c6a20028fd0f3b563f08270a456cf2cd8a1da89f5c2c856d9f7364a7f3178bdba773e99cc6bd2b75385590c89a9dbbe70ae2c73053db460c966ce7d

Download Submit
C:\ProgramData\HGNBWBGW\FileGrabber\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\ProgramData\HGNBWBGW\FileGrabber\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\ProgramData\HGNBWBGW\FileGrabber\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\ProgramData\HGNBWBGW\FileGrabber\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\ProgramData\HGNBWBGW\Process.txt

Filesize
4KB

MD5
f8d59ecf6a5da07f0d5276f56d82afb2

SHA1
7eb923613fe81a8467aa803cee493bf7ad807bd3

SHA256
665a9877bec94d4395135f4f3adbd35252806e4e319538f07be5e62057ffc237

SHA512
71dcfbfa934098c197598358fe098b5e066595237bcbec3d8471dec0a5d6a7ae049e252ea40a538a3d58c7556ff7e65ac851777611a65fff332de56a21c6f08a

Download Submit
C:\ProgramData\HGNBWBGW\Process.txt

Filesize
4KB

MD5
eebac5b641ed84a1388e03d1e2dfa7b0

SHA1
ca7a7345e8c03a2cc790e792b04c6bba62d255f9

SHA256
f67f82aee62e50d6fc7a5cea428e134e341d79e088fb92d5379e2a82cdd37eb5

SHA512
656f345e418422d89791c28c7771c7d9d10d3f92cdedc0887ad96e53f6cbe84c2707b8f40b63b0ed69e73d64dbb0517869555ced194834d0696da5a913b3e71b

Download Submit
C:\ProgramData\HGNBWBGW\Process.txt

Filesize
4KB

MD5
b701734b0065cf5c804437507c70cf39

SHA1
d3d543872c9f6d8e307caea8703a88ea0509b573

SHA256
0951e27784a8cace8f735c074ca014efb8f6524ccdd87d16a0b65f85cefeb70d

SHA512
29a123c46aac25a829bb72fd97eed38e5493cd4b42ea6904023cb3ddc48fbe1f8c2b99ffd4b5a1982ad9d0abc7935a7d455e3363ae3fb58076bb09fbcfab3ab6

Download Submit
C:\ProgramData\HGNBWBGW\Screen.png

Filesize
430KB

MD5
9922c4c0978ad7075444a5075015596b

SHA1
827fe5fbe212433ad7b039bf94b24259a2ab1acf

SHA256
de778da0bb6b8180eeb15b38557deb3110f4f41f769841092ca5f27218643e61

SHA512
26887994b103183218fe674e7550ffec5e6044e04655f2ea5f6a47c39c42b43ad353c6a046752f58d06424a8f93afcc1e217fb971da53e4357e882da61054f33

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Desktop\DenyRead.ini

Filesize
246KB

MD5
b03f3da20fb292b3d76a4580e539af70

SHA1
f400f61878d4b16df6e93f68fa09f6e8bdc478a4

SHA256
6b918daf4ac90fd20fab5320a97d52805a12213cb7fde080fa6c9df06351ebed

SHA512
a551723d28de869cd9612140abc29b06af44350039fecea50777c8ab3dc334fda08145336fae4b8ca344b22de88a13355ac6d105b5c65f512193afcd0dfc1c77

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Desktop\RegisterDeny.js

Filesize
347KB

MD5
bb9eced653e123e5b8e736d390e68f47

SHA1
53b9adcde34ba6e3089dc2c511f458db251d098c

SHA256
d2c627a46448a9df396bb858993903824e751dfc9a89ab7e5fe97f5f01e71b24

SHA512
97208535d37ad7d54bbb6266c95bf9024a344c5ee6994ffad39351306f9e0d4d5b6ad050049887c27491fa02417d27a5cc27f6e94d7a53f9ce6ad9008cc42999

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Desktop\UnregisterGrant.js

Filesize
146KB

MD5
f1f2c27a2f05361f8cfee51923a6bc13

SHA1
50b600feb6ca35999adcc1ad594abdfb8ce98483

SHA256
e53b59789a255d3570a529e1e8f788cf22ce1d86ae15c7cd8665364683f9a694

SHA512
5137b34c189698252aa89de0fc71d7e3442d9a2bfbf58c47f4bb0e2f02d0ecf0038c758ae9ad79a4dbc1050347c8c8b84f1497bd1c112496b45d67183826bd41

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Documents\OptimizeAdd.doc

Filesize
298KB

MD5
f82a9b9e7924f934ec01321bbdace1b6

SHA1
03d99a579e8a78c4c0ae5c7a32be01eeeca8c4b7

SHA256
7cfc4cd0756e54dfe96595af6bd43c29d038cae211d5c94ff5ad0d621c4ccdaa

SHA512
710ba20c9b1e9e494ac252b5031e0dcbabc60c9b5f867fdac2d6188f6ad3a76c344762a730a7d9afa2f4b40d6fa3bce9c37e04a33d3d2a0a76c6f068681d0ace

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Documents\ProtectRead.xls

Filesize
398KB

MD5
98b2be4a68b795f4247a06af6b7e7072

SHA1
a55c1b842a970e6e010c62d632cbc63687672a0a

SHA256
4a64e80e9f8eb6474db9f489cf96a1f6da1df90eecb8bf9096c741ddee5f575c

SHA512
d69c4273794df8562bf75d2d65bfe5481432ed31bbe1261241c19712d2a5e2f26ee784a8791d7c74244808d78198e8a83d6f58b5cd884e02ccd0c7f8d50d1797

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Documents\ResumeGroup.xlsx

Filesize
10KB

MD5
14f79b9c75003503fab690142b08af02

SHA1
5fd9d12a77aea0192d753e1fabe0f6ef3382d49e

SHA256
56aadc0f3d9642947219a6384919a8391fb8360d9502248a3a9367fbdc00a5e9

SHA512
18d71e86fddb187b4a5d57bcd65fc66dc07bba2167f89ab4ee8acd32e44f77af28973edda34895ec94b3bc6376ce3c9ff1064991780e50220b14594c21faa7f8

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Documents\StopRead.pdf

Filesize
348KB

MD5
ffff8bdeb19c126596114e276768b4af

SHA1
160d0ffa9d87d717a7060e456e46ded7c8714808

SHA256
f7855c303fd5796f67224a461f08f206c363de4fedf5203aa34a54ea4082f85f

SHA512
00c329850dd88cd7ff2a6d85afce10d98a166d230d27d77befd8a355bc4ad94feb3a2dc6d1861a85779b6b909038449605fb9db5def7082e526f06b7ba31d5f1

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Downloads\DenyResume.rtf

Filesize
458KB

MD5
cc40262d03de39c5a7a83d9feb9daa5a

SHA1
f3c013f9c4d2e2b934a384ca06d62f04af0cf566

SHA256
87e77a9ba81f84152ceef0ee773740b1b0d024ed31d6ea10604a2f1e85a8702d

SHA512
12681c4734751480639d10074950575b2d5b25a3ebf0399b77327d43be9f2337c1c86fa14127049dd1d6aa127c1cc620f2dd5fad9a32a2cc53596eaa98afa46b

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Pictures\ConnectPublish.jpg

Filesize
470KB

MD5
f9daf9a70afde9407fb381b30ed8c899

SHA1
81fbf9be422cec969c846c9c4e37c596977c60a7

SHA256
e2f4c4f4f7d8702eb4b813a1e82e5af14e168ce4f093b666b6913a607a2a1730

SHA512
1188c96dbca401a1a55b9c605b6ed2c5673a002709261d14dd56c63177376fda9a68b08d10862d6221c4234d603906382226cc8d9eb34fb8d78d06c09583814b

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Pictures\ImportInstall.jpeg

Filesize
339KB

MD5
d99b64f48e82643f079f46ba7bb96bf7

SHA1
2d88147e1d9d77fbb4477f40a4620ea20953a556

SHA256
473eca93cfa502dfb5d5310b4b8c29fe9b8bb8ae3fb80de6dac77ca0c58187a6

SHA512
d183c6f88b65d92f47cdb0cd8f656042593e4b9f37df3204cceb9c71021139afd326134cb9279a2dcd17a5433c1d52978551acf64373621a37c4f527059f5d07

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\FileGrabber\Pictures\WriteJoin.bmp

Filesize
235KB

MD5
516661d140923767ca37bc7dc5980916

SHA1
322e5a4de23ee98c7565376a33a38af20c129e7f

SHA256
06188883a8bdc9f55182d181ecac7ac2ea846ed8619a117c2806aeb02b0f307c

SHA512
0a672c129ccef250fc9f3167224be93728bde9891ebbea0626bd1bfe58fbf4f25871e95087f7e9b8bf4e0cf383f70e9a6f39bc011e3d09c5b2b8d08f72a20e01

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\InstalledSoftware.txt

Filesize
1KB

MD5
bca4ee4b0d73edf2835ac08ab38d1bd9

SHA1
a833d7663f5edecc050b37b7efd1d563268ea0df

SHA256
0face1d1c4bdf8e8f16c7fe99e2a6150cd6f60dc20396214288a585f870f3e5f

SHA512
48fa5f3b545f470146fee34c87b7268eb09ca7944d8bfea9e9fa2a14f4f934ec3b91ae4d302f7248b797bd5e0562b8a567f5ca3bce241ea8c3493bbe3310bce2

Download Submit
C:\Users\Admin\AppData\Local\HGNBWBGW\Process.txt

Filesize
4KB

MD5
e03a7f95a9833b3cce77389e479fe106

SHA1
812e3109606d746b4017110921679c46aaa64ed3

SHA256
2a52536a31f576c3341fc1d24d02b56101871a27cfaadec4da899e94df82dfc3

SHA512
7c7f719f7f1bafa05b546ac5bb19ef47a38ead8a4cf4901c474fa1360a1a2b03dbfdcd77eb68ed99eecd5b6e06585936b04efcbb317cfed5dc7a64326ae51ca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\._cache_Client.exe.log

Filesize
422B

MD5
c0f88724728a6db54e84f6f0ad0e2a78

SHA1
e685c13e29d447e73d7a11c53f7ae6d27dffecb6

SHA256
0d578f2a54fea6fffd0e63e4e9603154cbc84cc99a15fd5682c5ec638c5d3ed0

SHA512
8f1646b3708e539861edb223b3d694bc98d1761a76d8fce3d1d3d9fda6ab71bc141fd4d442c54b14b254533a74bb86dc63e7fb09abbc259cfac5156af5b18664

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Client.exe

Filesize
320KB

MD5
bfe9dbc7a3596dbf6cf1a00d9aeabeef

SHA1
4de4f8a1f99258eb712878e42d6fbfa1c146602b

SHA256
c0842614ad00bab2d4e3f3150625e4f23fe49a14dcdaa8ce59a89ecb51c71568

SHA512
d0408a26d0a75861d442da9336dc442bf5b5ae02a4f414c005208019376d13a04b98502429be0733dfaeb710a1768dee78a5aa80723355bb903bc330a7f143c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA975E00

Filesize
22KB

MD5
37c60153e59b32e181e1f2b491e481e2

SHA1
0b0edd71d9ce2cf7ebbc6458b4b74f0b513a5055

SHA256
05f7374d619898df207014a065dcd62c8c93ddf6a7ddbed5f6da8536fc23d241

SHA512
ff538fc2b3c448b32638f24f244ec662bf4fe1923757b7fc0e7fa258c6219001184caf2901bfd9e7c3413fd8ce04abff248dd5057e6fb70ed54e66ddb753fa6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
1.0MB

MD5
f59defd75d4bbda8e242a3adb53130c0

SHA1
2478bd05a1bf6f7da139eb9d7c00ed1b618c1eb0

SHA256
66171a1b4eed84cd153d7b45a978520a57153abf55c607a911645ea1c16156d5

SHA512
b2d28e9e1a5f66f37f132ff929d3f0dc4957b7d42dc7a46b7e5cd029c8df2fa75c0daeff12f94971e872b008ae88aa2eb959c99409f4db6364950dacd9e37d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
19b8ad57bdab8ad0e83915a3b20183c1

SHA1
62bdf09a73fa09296118d77ef366642233f9db6f

SHA256
8a3f119a5dac3b2cc21b6d635e750a526620f284aec290a74e1712a579a3d614

SHA512
d55a389f359504ecd8d0b4cd1772ea89ab26433ba23e1c399dc4ecc55dd67d033f90d27314e02e9f6b5a441c6a3e7edf9b3b481e8d101536ac0c2fa90f99a267

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1263.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp14F5.tmp.dat

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BEA.tmp.dat

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp93C9.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9531.tmp.dat

Filesize
114KB

MD5
0163d73ac6c04817a0bed83c3564b99f

SHA1
784001e8d0e7ab6a09202c2a1094f371f7d017cb

SHA256
5114af822abc2b0f2aabb7565919164c9babf884e34c21095213dbe6a71511ea

SHA512
47051ee935be9e9d4457447c7fe5df06a5b0c5ef55d2c757d3dfa179b6049ae79732b1552e812febe5ae41a076cb29d8a809ae9b168afc7eb4c9eadfadcf5d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp97C4.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB08.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB09.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\wGFaZxB1.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Roaming\HGNBWBGW\Process.txt

Filesize
4KB

MD5
c7ce81a6354edc2d98b7261c5e0846d0

SHA1
f75754de65c11badba470aa3490d3530894a7cdb

SHA256
853a3d4e747fe98c51cf0b79bc2f37669f3cbdf2e086eca0b0d7418066c039ec

SHA512
d47cece503c29f90e8d4ac7616a8c1cc3b92fa1577dfb3a5c35ddab87d23fad6df57bd886cc6dbb0595046d255f2c5958bc934ef34fbdb029a02ae921c6f4800

Download Submit
C:\Users\Admin\AppData\Roaming\HGNBWBGW\Process.txt

Filesize
52B

MD5
e169e0338c7312c775b03f789082c1f1

SHA1
cb808c73088809048604fc9c18b03db6931f01bb

SHA256
44ab3a83e5257040ea54c36092f98e294b9cb03d56b26e53cdfb461e59e84fef

SHA512
e7a3292d87f13f4ff0cc5a25a43c26c8a9ce3ce37b2ec998ac00629b9d61a0e1524b13d4f1c6f97c24877313c3ad0b1f0dec9f643ce7c168f6c9d8714e63bc11

Download Submit
C:\Users\Admin\AppData\Roaming\HGNBWBGW\Process.txt

Filesize
116B

MD5
a72047216266f157a8b70a7ce2142876

SHA1
d9fc8b3d678c5b9cbd4dc436c7b5d40f3d190570

SHA256
9c95b68425e79e4262b04c152b5af2183572974aa643292af93d012e60978838

SHA512
9291e1d7e6e99682bdbc8a436a1b4960bd7d0ddcfd6dc368cb292767a314be281d72997b68e0c0bc0568fc2b1b0c5d963391c060783228ded52ff8bd3dcb1e66

Download Submit
C:\Users\Admin\AppData\Roaming\HGNBWBGW\Process.txt

Filesize
4KB

MD5
90b0646efed1f37189645d0c663bbe0c

SHA1
ddae30969ef49c82037e61bac572426f63307bc8

SHA256
c99605dbf06c9b2938b464cf6b268eb38db2b3639b033b9d0b58337e5fd3b34e

SHA512
7d63d48da8728eeb55f8667ac15f6934e10fc1f482f95ccb220724bd42afc6142261831c4097a407824fcbb33207a1a6d2641792b31ed8a7b52ecf13964c2d23

Download Submit
memory/384-1630-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/556-500-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/556-1684-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/628-1796-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/640-1372-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1060-274-0x0000000006A70000-0x0000000006B02000-memory.dmp

Filesize
584KB

Download
memory/1060-275-0x00000000070C0000-0x0000000007664000-memory.dmp

Filesize
5.6MB

Download
memory/1060-147-0x0000000000D70000-0x0000000000DC6000-memory.dmp

Filesize
344KB

Download
memory/1060-286-0x0000000006FA0000-0x0000000007006000-memory.dmp

Filesize
408KB

Download
memory/1092-338-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1100-1423-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1108-1403-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1288-1040-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1372-2055-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1468-1465-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1520-1837-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1536-1362-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1560-1857-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1640-872-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1712-1675-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1712-640-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1836-889-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2060-1806-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2172-2216-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2208-2236-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2220-308-0x00007FFD9B0E0000-0x00007FFD9B0F0000-memory.dmp

Filesize
64KB

Download
memory/2220-287-0x00007FFD9B0E0000-0x00007FFD9B0F0000-memory.dmp

Filesize
64KB

Download
memory/2220-266-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

Filesize
64KB

Download
memory/2220-265-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

Filesize
64KB

Download
memory/2220-254-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

Filesize
64KB

Download
memory/2220-255-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

Filesize
64KB

Download
memory/2220-250-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

Filesize
64KB

Download
memory/2252-1994-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2308-956-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2448-919-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2716-1351-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2944-904-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2980-1215-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3040-1551-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3044-1907-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3092-146-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3092-18-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3204-1171-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3212-620-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3304-2226-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3548-1816-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3564-966-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3800-639-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3884-2092-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/4128-935-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/4168-1413-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/4324-946-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/4324-1382-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/4388-2104-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/4492-1826-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/4588-1123-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/4744-17-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/4744-315-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/4908-1672-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/4928-1867-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/4944-0-0x00007FFDBF313000-0x00007FFDBF315000-memory.dmp

Filesize
8KB

Download
memory/4944-16-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-10-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-1-0x00000000008C0000-0x0000000000EA0000-memory.dmp

Filesize
5.9MB

Download
memory/4952-1393-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/5036-1239-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/5076-1847-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download