Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 22:07
Behavioral task
behavioral1
Sample
2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe
Resource
win7-20240903-en
General
-
Target
2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe
-
Size
256KB
-
MD5
35acbae676bebc38d9948c0176d3eb55
-
SHA1
2eba5c17218ea94e9a4da3d84f7de1d4bebca5fa
-
SHA256
2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01
-
SHA512
aee2376f59b2b923c14888b4c3e048f5d1c90fa25b0844f85d6d2aafbfcb4e0fee8ecc015fbebb54465d50c1864079ab39ec2ebd3c7a7f9db071756136672390
-
SSDEEP
6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6Y:Plf5j6zCNa0xeE3mR
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tdkmlnmfdo.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tdkmlnmfdo.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tdkmlnmfdo.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tdkmlnmfdo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe -
Executes dropped EXE 5 IoCs
pid Process 4000 tdkmlnmfdo.exe 2424 qvrwxqrmmjxkpdi.exe 4076 dovyreyx.exe 4808 cqjxieyamfukj.exe 1992 dovyreyx.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tdkmlnmfdo.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ueybtikp = "tdkmlnmfdo.exe" qvrwxqrmmjxkpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qlqmgzpe = "qvrwxqrmmjxkpdi.exe" qvrwxqrmmjxkpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cqjxieyamfukj.exe" qvrwxqrmmjxkpdi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: tdkmlnmfdo.exe File opened (read-only) \??\z: tdkmlnmfdo.exe File opened (read-only) \??\e: dovyreyx.exe File opened (read-only) \??\z: dovyreyx.exe File opened (read-only) \??\k: dovyreyx.exe File opened (read-only) \??\x: tdkmlnmfdo.exe File opened (read-only) \??\h: dovyreyx.exe File opened (read-only) \??\r: dovyreyx.exe File opened (read-only) \??\t: dovyreyx.exe File opened (read-only) \??\u: dovyreyx.exe File opened (read-only) \??\j: dovyreyx.exe File opened (read-only) \??\h: dovyreyx.exe File opened (read-only) \??\l: dovyreyx.exe File opened (read-only) \??\w: dovyreyx.exe File opened (read-only) \??\e: tdkmlnmfdo.exe File opened (read-only) \??\b: dovyreyx.exe File opened (read-only) \??\j: dovyreyx.exe File opened (read-only) \??\k: dovyreyx.exe File opened (read-only) \??\l: dovyreyx.exe File opened (read-only) \??\p: dovyreyx.exe File opened (read-only) \??\n: tdkmlnmfdo.exe File opened (read-only) \??\u: tdkmlnmfdo.exe File opened (read-only) \??\g: dovyreyx.exe File opened (read-only) \??\i: tdkmlnmfdo.exe File opened (read-only) \??\t: dovyreyx.exe File opened (read-only) \??\v: tdkmlnmfdo.exe File opened (read-only) \??\a: dovyreyx.exe File opened (read-only) \??\i: dovyreyx.exe File opened (read-only) \??\n: dovyreyx.exe File opened (read-only) \??\w: dovyreyx.exe File opened (read-only) \??\m: dovyreyx.exe File opened (read-only) \??\s: dovyreyx.exe File opened (read-only) \??\x: dovyreyx.exe File opened (read-only) \??\g: tdkmlnmfdo.exe File opened (read-only) \??\o: dovyreyx.exe File opened (read-only) \??\r: dovyreyx.exe File opened (read-only) \??\u: dovyreyx.exe File opened (read-only) \??\b: tdkmlnmfdo.exe File opened (read-only) \??\l: tdkmlnmfdo.exe File opened (read-only) \??\o: tdkmlnmfdo.exe File opened (read-only) \??\r: tdkmlnmfdo.exe File opened (read-only) \??\a: dovyreyx.exe File opened (read-only) \??\q: dovyreyx.exe File opened (read-only) \??\v: dovyreyx.exe File opened (read-only) \??\z: dovyreyx.exe File opened (read-only) \??\a: tdkmlnmfdo.exe File opened (read-only) \??\t: tdkmlnmfdo.exe File opened (read-only) \??\b: dovyreyx.exe File opened (read-only) \??\o: dovyreyx.exe File opened (read-only) \??\n: dovyreyx.exe File opened (read-only) \??\y: dovyreyx.exe File opened (read-only) \??\m: dovyreyx.exe File opened (read-only) \??\q: dovyreyx.exe File opened (read-only) \??\s: tdkmlnmfdo.exe File opened (read-only) \??\y: tdkmlnmfdo.exe File opened (read-only) \??\g: dovyreyx.exe File opened (read-only) \??\w: tdkmlnmfdo.exe File opened (read-only) \??\v: dovyreyx.exe File opened (read-only) \??\m: tdkmlnmfdo.exe File opened (read-only) \??\y: dovyreyx.exe File opened (read-only) \??\x: dovyreyx.exe File opened (read-only) \??\p: dovyreyx.exe File opened (read-only) \??\i: dovyreyx.exe File opened (read-only) \??\e: dovyreyx.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tdkmlnmfdo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tdkmlnmfdo.exe -
AutoIT Executable 63 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4076-27-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-32-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4284-35-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1992-43-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-74-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-75-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4076-76-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4076-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1992-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1992-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-255-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-258-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4076-257-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-256-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1992-266-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4076-273-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-274-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-272-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-271-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1992-275-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-276-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-279-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4076-278-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-277-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1992-280-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-281-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-284-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4076-283-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-282-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1992-285-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1992-288-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4076-289-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-290-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-292-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-291-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-298-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-299-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-300-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-301-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-302-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-303-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-305-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-306-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-304-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-307-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-308-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-309-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-310-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-311-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-312-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-313-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-315-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-314-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-316-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-317-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-318-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4000-319-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2424-320-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4808-321-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\tdkmlnmfdo.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File opened for modification C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File created C:\Windows\SysWOW64\cqjxieyamfukj.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dovyreyx.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dovyreyx.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dovyreyx.exe File opened for modification C:\Windows\SysWOW64\tdkmlnmfdo.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File created C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File created C:\Windows\SysWOW64\dovyreyx.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File opened for modification C:\Windows\SysWOW64\dovyreyx.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File opened for modification C:\Windows\SysWOW64\cqjxieyamfukj.exe 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tdkmlnmfdo.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dovyreyx.exe -
resource yara_rule behavioral2/memory/4284-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000023ca7-5.dat upx behavioral2/files/0x0008000000023ca3-19.dat upx behavioral2/files/0x0007000000023ca8-25.dat upx behavioral2/memory/4076-27-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000023ca9-31.dat upx behavioral2/memory/4808-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2424-24-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4284-35-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1992-43-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000023cb4-64.dat upx behavioral2/memory/4000-74-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2424-75-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4076-76-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000023cba-81.dat upx behavioral2/memory/4808-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4000-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2424-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4076-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1992-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1992-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4808-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4000-255-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4808-258-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4076-257-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2424-256-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000023cdc-261.dat upx behavioral2/memory/1992-266-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000023cdc-267.dat upx behavioral2/files/0x0008000000023cdc-269.dat upx behavioral2/memory/4076-273-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4808-274-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2424-272-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4000-271-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1992-275-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4000-276-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4808-279-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4076-278-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2424-277-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1992-280-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4000-281-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4808-284-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4076-283-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2424-282-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1992-285-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1992-288-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4076-289-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4000-290-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4808-292-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2424-291-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4000-298-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2424-299-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4808-300-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4000-301-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2424-302-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4808-303-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2424-305-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4808-306-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4000-304-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4000-307-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2424-308-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4808-309-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4000-310-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2424-311-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dovyreyx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dovyreyx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dovyreyx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dovyreyx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dovyreyx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dovyreyx.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dovyreyx.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dovyreyx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dovyreyx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dovyreyx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dovyreyx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dovyreyx.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dovyreyx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dovyreyx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dovyreyx.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dovyreyx.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dovyreyx.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dovyreyx.exe File opened for modification C:\Windows\mydoc.rtf 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dovyreyx.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dovyreyx.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dovyreyx.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dovyreyx.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dovyreyx.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dovyreyx.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dovyreyx.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dovyreyx.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dovyreyx.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dovyreyx.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dovyreyx.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dovyreyx.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dovyreyx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tdkmlnmfdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qvrwxqrmmjxkpdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dovyreyx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cqjxieyamfukj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dovyreyx.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tdkmlnmfdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tdkmlnmfdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tdkmlnmfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB0FF6D21DAD10FD0A78A0B906A" 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tdkmlnmfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tdkmlnmfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4F9C9FE16F2E784783A40819939E3B0F902FE42600332E2CE429D08A3" 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B15A449338EB52CCBAD7339CD4CE" 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C67D14E3DAB6B8BA7F97EC9E34CC" 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tdkmlnmfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tdkmlnmfdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tdkmlnmfdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tdkmlnmfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tdkmlnmfdo.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tdkmlnmfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFCF9482A82199131D75B7E9CBD97E144594166426335D79E" 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tdkmlnmfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C7C9C2283526A3076A570542CD87DF364D6" 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5032 WINWORD.EXE 5032 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2424 qvrwxqrmmjxkpdi.exe 2424 qvrwxqrmmjxkpdi.exe 2424 qvrwxqrmmjxkpdi.exe 2424 qvrwxqrmmjxkpdi.exe 2424 qvrwxqrmmjxkpdi.exe 2424 qvrwxqrmmjxkpdi.exe 2424 qvrwxqrmmjxkpdi.exe 2424 qvrwxqrmmjxkpdi.exe 2424 qvrwxqrmmjxkpdi.exe 2424 qvrwxqrmmjxkpdi.exe 4000 tdkmlnmfdo.exe 4000 tdkmlnmfdo.exe 4000 tdkmlnmfdo.exe 4000 tdkmlnmfdo.exe 4000 tdkmlnmfdo.exe 4000 tdkmlnmfdo.exe 4000 tdkmlnmfdo.exe 4000 tdkmlnmfdo.exe 4000 tdkmlnmfdo.exe 4000 tdkmlnmfdo.exe 4076 dovyreyx.exe 4076 dovyreyx.exe 4076 dovyreyx.exe 4076 dovyreyx.exe 4076 dovyreyx.exe 4076 dovyreyx.exe 4076 dovyreyx.exe 4076 dovyreyx.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 2424 qvrwxqrmmjxkpdi.exe 2424 qvrwxqrmmjxkpdi.exe 1992 dovyreyx.exe 1992 dovyreyx.exe 1992 dovyreyx.exe 1992 dovyreyx.exe 1992 dovyreyx.exe 1992 dovyreyx.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2424 qvrwxqrmmjxkpdi.exe 2424 qvrwxqrmmjxkpdi.exe 2424 qvrwxqrmmjxkpdi.exe 4000 tdkmlnmfdo.exe 4076 dovyreyx.exe 4000 tdkmlnmfdo.exe 4076 dovyreyx.exe 4000 tdkmlnmfdo.exe 4076 dovyreyx.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 1992 dovyreyx.exe 1992 dovyreyx.exe 1992 dovyreyx.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 2424 qvrwxqrmmjxkpdi.exe 2424 qvrwxqrmmjxkpdi.exe 2424 qvrwxqrmmjxkpdi.exe 4000 tdkmlnmfdo.exe 4076 dovyreyx.exe 4000 tdkmlnmfdo.exe 4076 dovyreyx.exe 4000 tdkmlnmfdo.exe 4076 dovyreyx.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 4808 cqjxieyamfukj.exe 1992 dovyreyx.exe 1992 dovyreyx.exe 1992 dovyreyx.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4284 wrote to memory of 4000 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 83 PID 4284 wrote to memory of 4000 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 83 PID 4284 wrote to memory of 4000 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 83 PID 4284 wrote to memory of 2424 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 84 PID 4284 wrote to memory of 2424 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 84 PID 4284 wrote to memory of 2424 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 84 PID 4284 wrote to memory of 4076 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 85 PID 4284 wrote to memory of 4076 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 85 PID 4284 wrote to memory of 4076 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 85 PID 4284 wrote to memory of 4808 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 86 PID 4284 wrote to memory of 4808 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 86 PID 4284 wrote to memory of 4808 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 86 PID 4284 wrote to memory of 5032 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 87 PID 4284 wrote to memory of 5032 4284 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe 87 PID 4000 wrote to memory of 1992 4000 tdkmlnmfdo.exe 89 PID 4000 wrote to memory of 1992 4000 tdkmlnmfdo.exe 89 PID 4000 wrote to memory of 1992 4000 tdkmlnmfdo.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe"C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\tdkmlnmfdo.exetdkmlnmfdo.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\dovyreyx.exeC:\Windows\system32\dovyreyx.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1992
-
-
-
C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exeqvrwxqrmmjxkpdi.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2424
-
-
C:\Windows\SysWOW64\dovyreyx.exedovyreyx.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4076
-
-
C:\Windows\SysWOW64\cqjxieyamfukj.execqjxieyamfukj.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4808
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5032
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5c0b8ebdeb9df251bd8e9a5f68ed7304a
SHA13babfadd7cd403a2d5d16b53e321b5afc14b70d9
SHA2564996a844503068afa4a52e2749014301bbef377216d02c9f58f722083a02869f
SHA5123210e06d0ed9622a0ec583c5254794f4e206ed829676a77987dae600ea06eb882be368760b54408c87d7c227d5d8a0517c8c6e28a4e17342ab1b284d7cb5abdb
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
413B
MD5d69cee2243db753ab4efde604933f0c2
SHA1caafa5ec2c4a5e7c7f67d1beadb0a646de9e3217
SHA256066cd0fe467030c99e2b268bfbe5fa5cdc036612785151654ee9a4d2f7946794
SHA512c25ca54b0a612b725fd19ad9183e0cffe5fcbfd598719a8f26507abdbaa70384240e2b03b40fcc8584f1b19a53c04e75210e6b7b7ddecd544e9066ae7742beea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD522dbc4ec04dfc6a6430d187eba50a57f
SHA1dd273be9a73bc71928292929c2fd359bd4b7c7cf
SHA2568a4f88404ec028775f8563449c90683252876739ecc3071ce375618b92023c89
SHA512240b2a99db363142b3ceebe8f9074997f70438ca4a3b6b99bcac031750bbb90c24054c3456abf24c9387b81bd0aa1899a5c80ee6ba80c9a8762d9fe234a7d0a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD581815c559dce0d196720a57ee4c4a5e2
SHA1740fdf51b6e64d49b2223dd3ef499e11f0869a84
SHA25637672e142b6c62fd627b8ab1ce932c35cece40e8eaa3232356d0367a6622562c
SHA5123848155db81418b64b5f7cfbba1930588ea0e247630722cd2f4b722426db758f79ebe7ccb391ffb03904a2f0a7af29508a0600932e1dd04bb00f49d5793e3478
-
Filesize
256KB
MD58d1e96c0dd500632e37b17d578ddc732
SHA1dcd90ae6952d94978533924aadc6ad44834ace81
SHA256b914891d97a012ab7fc387bc357f73db09c43ed32615e242693ab8627a95afb0
SHA512c5113251276986f396fa1ff625950f66c1881a7a2b10fcf72a65823771840bd2306cdfe0b3f27d53417896fc62467120955e5472a1212fafa0f128b9313981e3
-
Filesize
256KB
MD5fef9ac4866d09ae277e8386f24fd5cc8
SHA146363ac5c27888a969b2ccb7572a5664b1f1662e
SHA2565d471196627cd755e6a54cac189a9c80a52d4f0fec8e5dca49127f279f351122
SHA512473f24f4169746bc7c83280a899ae8282fac5eee8242680a842698452bdf62e9ca25d1e7f1e428267ddb2c0cc2123213ccd223d21a8cdc1eda2d16f097363245
-
Filesize
256KB
MD59df3909fa0203734fd67f09b205a9300
SHA157a17d917a49813d5edea03ff216b8e2b6d00418
SHA25633f02fe96c52c3b9d66de257ca0465ccbf425b68550280310f801661acfc29cd
SHA5129d39763a175ddda8e33b672fce4b5731fe4a9e9d6d32a28ed53ceaf40428d8a41069d528f6b9f586664b59ce2aed844d081f6fae95e39aada396a7d9a4d62560
-
Filesize
256KB
MD5e928b10a13f331783eef8397488672e0
SHA12dfa082c487ac39c3c941a520d55df8cbc92925b
SHA2564c39bbe26130544540ba539ef7de24313687d2cf45c2fb7e58026ff9155aba1c
SHA512bd022f94142f950e2636f1889210fe38aa10902be0b6167796f8ddc86f1e39be5a9f8536994d81330e31225872efd9d72b9f013e076a3bab63d18ec571fccedd
-
Filesize
256KB
MD538c3c647d8c2268cd24ec56c04ece57d
SHA145c27057355bb66a2858ab215e151cc46bdd0ebf
SHA256e3ee8e41fabdf65a44f2fb23cdb4be47ff7eef3470427a48f475dab29552fab9
SHA512a331d665d7736a8964a92a6dc409e75c4fc16a1627cc5702882c430d40d8f1570501e296d02a4b8705eecf991f3e90a1692a26704e3c4086e3e807a91b505d68
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
256KB
MD5268501b6e720ad389edd48b9789feb1d
SHA12da2111c81cef429988ed62071dac790054d1c9a
SHA256877c02693c3127d6e8da69be0958ac74ca8d5a330c09acbef1c8d2952c4b9286
SHA5120a3070a6ce1904d12c26414f305447ddf907b5d1bb92f2085c35210a8b04cbee6eb9a06d3fe031a2c5f10297e1a26265167f4ba3e627bfcb0c5c1c1f9c0c9fac
-
Filesize
256KB
MD517e64d8c1bf606ee485624e06b60c7be
SHA1e2164dae1c8d5cb2c31fbce69ea043eb8ec39e9f
SHA256722b10c6032ee941c6af033f16df4880f3a0174f0e0ef22385c4e0369fefec98
SHA512c7be0f03fb51988293b978e7e2d29eb45516265107d0e8a5ce72d029d2af9bdec37c48b882bf1fe91e653fc0ccd2a828a5911bd4e661de3d9bfbe4dac20f2d2e
-
Filesize
256KB
MD55f3bed296a37b61a86593623f1d5e09b
SHA152acc3d80469fe7644ec9ee3ad585d3ea6c9a155
SHA256d4271b34bc5ed4e83686edf3708541343997fd782ed531368f456b09f1f711b0
SHA512b328079fc01911075d25881ecd5defd0bd09fa0c99bc28e74ffb76c1a012b805a1511c2877849ccadcd31e60ed84b3748cc27cb5d5b3dfed297c1c2ebfec86f1