cryptbot | 28ad8571a737ed7bfa0c7bf42eff699b1a05f5e5451754f2b0c2651f2d34d360

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7-en-20211208
submitted
24-12-2021 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Catia-V-R-Crack-Bitr_aw2jo2k.exe
Size

4.4MB
MD5

31ac11da3ff0c5ea9a9952ab15e2b7b2
SHA1

d6bae54386b12b28480af0a1702433b0b795f91f
SHA256

28ad8571a737ed7bfa0c7bf42eff699b1a05f5e5451754f2b0c2651f2d34d360
SHA512

1f6ed529199bbc7bca5fb1a2e63ebd384ec2dbd89c6d3708fcf8f08672a3ac603016b07dcd32e4814008cb19be9fcafac45555b68e9e1ba85cb9a3665e8d4e21

Score

10^/10

cryptbot redline 1812 discovery evasion infostealer spyware stealer themida trojan upx

Malware Config

Extracted

Family

redline

Botnet

1812

m360li.info:81

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1156-114-0x0000000000540000-0x000000000056F000-memory.dmp	family_redline
behavioral1/memory/1156-128-0x0000000000570000-0x0000000000590000-memory.dmp	family_redline
behavioral1/memory/1156-129-0x0000000000570000-0x0000000000590000-memory.dmp	family_redline

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-1JLR8.tmp\ApiTool.dll	acprotect

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

is-N6CRK.tmpDolor.exekADg4mle9XU.exeUk6LR.exeUk6LR.exevpn.exeSkype.exevpn.tmp82148791051.exetapinstall.exe48569949493.exe

pid	process
836	is-N6CRK.tmp
1476	Dolor.exe
648	kADg4mle9XU.exe
1528	Uk6LR.exe
1052	Uk6LR.exe
1832	vpn.exe
1156	Skype.exe
1632	vpn.tmp
1964	82148791051.exe
1904	tapinstall.exe
728	48569949493.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-1JLR8.tmp\ApiTool.dll	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

48569949493.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	48569949493.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	48569949493.exe

Loads dropped DLL 26 IoCs

Processes:

Catia-V-R-Crack-Bitr_aw2jo2k.exeis-N6CRK.tmpDolor.exeUk6LR.exekADg4mle9XU.exevpn.exevpn.tmpcmd.execmd.execmd.exe

pid	process
1668	Catia-V-R-Crack-Bitr_aw2jo2k.exe
836	is-N6CRK.tmp
836	is-N6CRK.tmp
836	is-N6CRK.tmp
836	is-N6CRK.tmp
1476	Dolor.exe
1476	Dolor.exe
1476	Dolor.exe
1476	Dolor.exe
1476	Dolor.exe
1528	Uk6LR.exe
1476	Dolor.exe
648	kADg4mle9XU.exe
648	kADg4mle9XU.exe
1832	vpn.exe
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1660	cmd.exe
1660	cmd.exe
1472	cmd.exe
1472	cmd.exe
1424	cmd.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\48569949493.exe	themida
\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\48569949493.exe	themida
C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\48569949493.exe	themida
behavioral1/memory/728-171-0x0000000000DE0000-0x00000000014D3000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

48569949493.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 48569949493.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

48569949493.exe

pid process

728 48569949493.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Uk6LR.exe

description pid process target process

PID 1528 set thread context of 1052 1528 Uk6LR.exe Uk6LR.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	48569949493.exe

pid	process
728	48569949493.exe

description	pid	process	target process
PID 1528 set thread context of 1052	1528	Uk6LR.exe	Uk6LR.exe

autoit_exe 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\NOjFC4fh\kADg4mle9XU.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\NOjFC4fh\kADg4mle9XU.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\NOjFC4fh\kADg4mle9XU.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\NOjFC4fh\kADg4mle9XU.exe	autoit_exe

Drops file in Program Files directory 64 IoCs

Processes:

vpn.tmpis-N6CRK.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-9CCU0.tmp	vpn.tmp
File created	C:\Program Files (x86)\Et\is-BBR7J.tmp	is-N6CRK.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-FNNII.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-M2JAG.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-BAV1N.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-TJTL3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-J7T6K.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-GREMC.tmp	vpn.tmp
File created	C:\Program Files (x86)\Et\ut\is-5ESDN.tmp	is-N6CRK.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-MB4MC.tmp	vpn.tmp
File created	C:\Program Files (x86)\Et\unins000.dat	is-N6CRK.tmp
File created	C:\Program Files (x86)\Et\aliquam\is-59EA6.tmp	is-N6CRK.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-SJ2AD.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-ANBG3.tmp	vpn.tmp
File created	C:\Program Files (x86)\Et\ut\is-5J1LO.tmp	is-N6CRK.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-ATIE9.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-3V2H8.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-M7BCC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-7V433.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-54U4M.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-A0298.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-K4282.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-UFC3U.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-CMUSP.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-6K6VK.tmp	vpn.tmp
File created	C:\Program Files (x86)\Et\aliquam\is-DLR0S.tmp	is-N6CRK.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-GPMCL.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-92K7Q.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.msg	vpn.tmp
File created	C:\Program Files (x86)\Et\is-RBQ9V.tmp	is-N6CRK.tmp
File created	C:\Program Files (x86)\Et\is-ICBJ9.tmp	is-N6CRK.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-FEPB7.tmp	vpn.tmp
File created	C:\Program Files (x86)\Et\quo\is-ERPHO.tmp	is-N6CRK.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-B89CM.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-8QTLM.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-DFH51.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-1OB7S.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-L512L.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-NRO5G.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-04UNC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-7TQTB.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-RVP03.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-Q2FMI.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-P99QN.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-SCEAS.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-0IJ4G.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-0M1H2.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-GVD1M.tmp	vpn.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{01DCFBB1-6469-11EC-B96D-E2EFF2F4E71D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

vpn.tmpDolor.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Dolor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Dolor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Dolor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Dolor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Dolor.exevpn.tmp48569949493.exe

pid process

1476 Dolor.exe
1476 Dolor.exe
1476 Dolor.exe
1632 vpn.tmp
1632 vpn.tmp
1632 vpn.tmp
728 48569949493.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vpn.tmp

description pid process

Token: SeDebugPrivilege 1632 vpn.tmp
Token: SeDebugPrivilege 1632 vpn.tmp

pid	process
1476	Dolor.exe
1476	Dolor.exe
1476	Dolor.exe
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
728	48569949493.exe

description	pid	process
Token: SeDebugPrivilege	1632	vpn.tmp
Token: SeDebugPrivilege	1632	vpn.tmp

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exevpn.tmp

pid	process
1844	iexplore.exe
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp
1632	vpn.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1844 iexplore.exe
1844 iexplore.exe
1640 IEXPLORE.EXE
1640 IEXPLORE.EXE
1640 IEXPLORE.EXE
1640 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Catia-V-R-Crack-Bitr_aw2jo2k.exeis-N6CRK.tmpDolor.exeiexplore.exeUk6LR.exekADg4mle9XU.exevpn.exeUk6LR.execmd.exevpn.tmp

description	pid	process	target process
PID 1668 wrote to memory of 836	1668	Catia-V-R-Crack-Bitr_aw2jo2k.exe	is-N6CRK.tmp
PID 1668 wrote to memory of 836	1668	Catia-V-R-Crack-Bitr_aw2jo2k.exe	is-N6CRK.tmp
PID 1668 wrote to memory of 836	1668	Catia-V-R-Crack-Bitr_aw2jo2k.exe	is-N6CRK.tmp
PID 1668 wrote to memory of 836	1668	Catia-V-R-Crack-Bitr_aw2jo2k.exe	is-N6CRK.tmp
PID 1668 wrote to memory of 836	1668	Catia-V-R-Crack-Bitr_aw2jo2k.exe	is-N6CRK.tmp
PID 1668 wrote to memory of 836	1668	Catia-V-R-Crack-Bitr_aw2jo2k.exe	is-N6CRK.tmp
PID 1668 wrote to memory of 836	1668	Catia-V-R-Crack-Bitr_aw2jo2k.exe	is-N6CRK.tmp
PID 836 wrote to memory of 1476	836	is-N6CRK.tmp	Dolor.exe
PID 836 wrote to memory of 1476	836	is-N6CRK.tmp	Dolor.exe
PID 836 wrote to memory of 1476	836	is-N6CRK.tmp	Dolor.exe
PID 836 wrote to memory of 1476	836	is-N6CRK.tmp	Dolor.exe
PID 1476 wrote to memory of 1844	1476	Dolor.exe	iexplore.exe
PID 1476 wrote to memory of 1844	1476	Dolor.exe	iexplore.exe
PID 1476 wrote to memory of 1844	1476	Dolor.exe	iexplore.exe
PID 1476 wrote to memory of 1844	1476	Dolor.exe	iexplore.exe
PID 1844 wrote to memory of 1640	1844	iexplore.exe	IEXPLORE.EXE
PID 1844 wrote to memory of 1640	1844	iexplore.exe	IEXPLORE.EXE
PID 1844 wrote to memory of 1640	1844	iexplore.exe	IEXPLORE.EXE
PID 1844 wrote to memory of 1640	1844	iexplore.exe	IEXPLORE.EXE
PID 1476 wrote to memory of 648	1476	Dolor.exe	kADg4mle9XU.exe
PID 1476 wrote to memory of 648	1476	Dolor.exe	kADg4mle9XU.exe
PID 1476 wrote to memory of 648	1476	Dolor.exe	kADg4mle9XU.exe
PID 1476 wrote to memory of 648	1476	Dolor.exe	kADg4mle9XU.exe
PID 1476 wrote to memory of 1528	1476	Dolor.exe	Uk6LR.exe
PID 1476 wrote to memory of 1528	1476	Dolor.exe	Uk6LR.exe
PID 1476 wrote to memory of 1528	1476	Dolor.exe	Uk6LR.exe
PID 1476 wrote to memory of 1528	1476	Dolor.exe	Uk6LR.exe
PID 1528 wrote to memory of 1052	1528	Uk6LR.exe	Uk6LR.exe
PID 1528 wrote to memory of 1052	1528	Uk6LR.exe	Uk6LR.exe
PID 1528 wrote to memory of 1052	1528	Uk6LR.exe	Uk6LR.exe
PID 1528 wrote to memory of 1052	1528	Uk6LR.exe	Uk6LR.exe
PID 1528 wrote to memory of 1052	1528	Uk6LR.exe	Uk6LR.exe
PID 1528 wrote to memory of 1052	1528	Uk6LR.exe	Uk6LR.exe
PID 1476 wrote to memory of 1832	1476	Dolor.exe	vpn.exe
PID 1476 wrote to memory of 1832	1476	Dolor.exe	vpn.exe
PID 1476 wrote to memory of 1832	1476	Dolor.exe	vpn.exe
PID 1476 wrote to memory of 1832	1476	Dolor.exe	vpn.exe
PID 1476 wrote to memory of 1832	1476	Dolor.exe	vpn.exe
PID 1476 wrote to memory of 1832	1476	Dolor.exe	vpn.exe
PID 1476 wrote to memory of 1832	1476	Dolor.exe	vpn.exe
PID 648 wrote to memory of 1156	648	kADg4mle9XU.exe	Skype.exe
PID 648 wrote to memory of 1156	648	kADg4mle9XU.exe	Skype.exe
PID 648 wrote to memory of 1156	648	kADg4mle9XU.exe	Skype.exe
PID 648 wrote to memory of 1156	648	kADg4mle9XU.exe	Skype.exe
PID 1832 wrote to memory of 1632	1832	vpn.exe	vpn.tmp
PID 1832 wrote to memory of 1632	1832	vpn.exe	vpn.tmp
PID 1832 wrote to memory of 1632	1832	vpn.exe	vpn.tmp
PID 1832 wrote to memory of 1632	1832	vpn.exe	vpn.tmp
PID 1832 wrote to memory of 1632	1832	vpn.exe	vpn.tmp
PID 1832 wrote to memory of 1632	1832	vpn.exe	vpn.tmp
PID 1832 wrote to memory of 1632	1832	vpn.exe	vpn.tmp
PID 1052 wrote to memory of 1660	1052	Uk6LR.exe	cmd.exe
PID 1052 wrote to memory of 1660	1052	Uk6LR.exe	cmd.exe
PID 1052 wrote to memory of 1660	1052	Uk6LR.exe	cmd.exe
PID 1052 wrote to memory of 1660	1052	Uk6LR.exe	cmd.exe
PID 1660 wrote to memory of 1964	1660	cmd.exe	82148791051.exe
PID 1660 wrote to memory of 1964	1660	cmd.exe	82148791051.exe
PID 1660 wrote to memory of 1964	1660	cmd.exe	82148791051.exe
PID 1660 wrote to memory of 1964	1660	cmd.exe	82148791051.exe
PID 1632 wrote to memory of 1472	1632	vpn.tmp	cmd.exe
PID 1632 wrote to memory of 1472	1632	vpn.tmp	cmd.exe
PID 1632 wrote to memory of 1472	1632	vpn.tmp	cmd.exe
PID 1632 wrote to memory of 1472	1632	vpn.tmp	cmd.exe
PID 1632 wrote to memory of 1472	1632	vpn.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Catia-V-R-Crack-Bitr_aw2jo2k.exe
"C:\Users\Admin\AppData\Local\Temp\Catia-V-R-Crack-Bitr_aw2jo2k.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\is-2IGHJ.tmp\is-N6CRK.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2IGHJ.tmp\is-N6CRK.tmp" /SL4 $40108 "C:\Users\Admin\AppData\Local\Temp\Catia-V-R-Crack-Bitr_aw2jo2k.exe" 4426979 52736
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:836

C:\Program Files (x86)\Et\quo\Dolor.exe
"C:\Program Files (x86)\Et/\quo\Dolor.exe" 23f151a942ce9ae176086b16882d65ad
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://totrakto.com/Catia-V5-R19-Crack-64-Bit.rar.zip
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1844 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Users\Admin\AppData\Local\Temp\NOjFC4fh\kADg4mle9XU.exe
C:\Users\Admin\AppData\Local\Temp\NOjFC4fh\kADg4mle9XU.exe /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\Skype.exe
C:\Users\Admin\AppData\Local\Temp\Skype.exe
5⤵
- Executes dropped EXE
PID:1156

C:\Users\Admin\AppData\Local\Temp\wOWXrBZU\Uk6LR.exe
C:\Users\Admin\AppData\Local\Temp\wOWXrBZU\Uk6LR.exe /usthree SUB=23f151a942ce9ae176086b16882d65ad
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Local\Temp\wOWXrBZU\Uk6LR.exe
C:\Users\Admin\AppData\Local\Temp\wOWXrBZU\Uk6LR.exe /usthree SUB=23f151a942ce9ae176086b16882d65ad
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\82148791051.exe"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\82148791051.exe
"C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\82148791051.exe"
7⤵
- Executes dropped EXE
PID:1964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\48569949493.exe" /us
6⤵
- Loads dropped DLL
PID:1424

C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\48569949493.exe
"C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\48569949493.exe" /us
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\35034723711.exe" /us
6⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\35034723711.exe
"C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\35034723711.exe" /us
7⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\9HnYCq6S\vpn.exe
C:\Users\Admin\AppData\Local\Temp\9HnYCq6S\vpn.exe /silent /subid=510x23f151a942ce9ae176086b16882d65ad
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\is-ANEF7.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ANEF7.tmp\vpn.tmp" /SL5="$2023A,15170975,270336,C:\Users\Admin\AppData\Local\Temp\9HnYCq6S\vpn.exe" /silent /subid=510x23f151a942ce9ae176086b16882d65ad
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
6⤵
- Loads dropped DLL
PID:1472

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
7⤵
- Executes dropped EXE
PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Et\quo\Dolor.exe
MD5
1e9d3161f0585d7188a37710a36dd620

SHA1
118dc56ae7626b40a46f86e615e9fb2d6adbbfd9

SHA256
1658017cd61fd615be6d60b5a43070b22a1af34f85de40bd672f055d628d16e9

SHA512
20cc5daf59d3849d72ec465dcb8a4305ce7779f06a888f1c05540573a2015308c6372defa57b7dbc9ea5d7c6438aedce81864115f4b7a07ae4de9540fb343ddf

Download Submit
C:\Program Files (x86)\Et\quo\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat
MD5
9133a44bfd841b8849bddead9957c2c3

SHA1
3c1d92aa3f6247a2e7ceeaf0b811cf584ae87591

SHA256
b8109f63a788470925ea267f1b6032bba281b1ac3afdf0c56412cb753df58392

SHA512
d7f5f99325b9c77939735df3a61097a24613f85e7acc2d84875f78f60b0b70e3504f34d9fff222c593e1daadd9db71080a23b588fe7009ce93b5a4cbe9785545

Download Submit
C:\Users\Admin\AppData\Local\Temp\9HnYCq6S\vpn.exe
MD5
1ed0798570272f2c94ed7b99135ee93d

SHA1
b4b66a74480623ed4bbf9af3fd4488051fb05fec

SHA256
48267762aa0f759061efa0b893dc5307f7079fdd3367cbef49ba4f9a9ff389b9

SHA512
64ef300a9f24c1d9f841ec3ec97b842a66459c5522cb4b12906dbb4eb6916cc80a03155c0a427e49a108726de1430b801d7c1768167837bb18573fc65bfcb6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9HnYCq6S\vpn.exe
MD5
1ed0798570272f2c94ed7b99135ee93d

SHA1
b4b66a74480623ed4bbf9af3fd4488051fb05fec

SHA256
48267762aa0f759061efa0b893dc5307f7079fdd3367cbef49ba4f9a9ff389b9

SHA512
64ef300a9f24c1d9f841ec3ec97b842a66459c5522cb4b12906dbb4eb6916cc80a03155c0a427e49a108726de1430b801d7c1768167837bb18573fc65bfcb6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOjFC4fh\kADg4mle9XU.exe
MD5
bff03beb0bebf6c97b4f75387221082e

SHA1
1e7f93dbf118748b3078a5ed7f28cb4a2e03edb1

SHA256
cfb6dbfed10c59baa25fdd15fa3649f4844c9ff7a0aa782016c71f4f0156df3b

SHA512
5fdcaa381f8b5c7edfe1868c5a19496713f48df8fd6cf58b8fa0f5e0fedc1f3369eaf2d85369c1fc039b01ddc8daa535a155c18aade01ac10ea8c35a8b3ba6a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOjFC4fh\kADg4mle9XU.exe
MD5
bff03beb0bebf6c97b4f75387221082e

SHA1
1e7f93dbf118748b3078a5ed7f28cb4a2e03edb1

SHA256
cfb6dbfed10c59baa25fdd15fa3649f4844c9ff7a0aa782016c71f4f0156df3b

SHA512
5fdcaa381f8b5c7edfe1868c5a19496713f48df8fd6cf58b8fa0f5e0fedc1f3369eaf2d85369c1fc039b01ddc8daa535a155c18aade01ac10ea8c35a8b3ba6a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skype.exe
MD5
4ae0cc591c73abc92591de3342de4ec0

SHA1
128612389a79288e6273b4a34e429d106e8f8091

SHA256
f3ecea3c50e711bcdd5ae2b085721d7eabd7354ee4e06dab56cad2b1d8c2c0f0

SHA512
2a290f20c8f3977e4790da06726cb2b5d4c8f9484010c5bdb4ddfba0a0d1f234ed7eea564bcfa2eca40b8befb313babbabcd72759ffa7c860089405f5933c879

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skype.exe
MD5
4ae0cc591c73abc92591de3342de4ec0

SHA1
128612389a79288e6273b4a34e429d106e8f8091

SHA256
f3ecea3c50e711bcdd5ae2b085721d7eabd7354ee4e06dab56cad2b1d8c2c0f0

SHA512
2a290f20c8f3977e4790da06726cb2b5d4c8f9484010c5bdb4ddfba0a0d1f234ed7eea564bcfa2eca40b8befb313babbabcd72759ffa7c860089405f5933c879

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2IGHJ.tmp\is-N6CRK.tmp
MD5
7d4f2f6d77755eb3ab2f32678b51e48e

SHA1
c42f92874abcab6b45922b6e53a0a017be1ec705

SHA256
3684dec2f56b6f8bd9f72d21e2f321bc105084a2d77d7d9b2f46821f69bbfd26

SHA512
573addc8d53bbbd1215887734c999a43bb53e3864a5a1ecacf33813f51e8b84639381e4947fdd71b0a3af0b22a86f340e7d29e835f7789cef1bb238000564f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2IGHJ.tmp\is-N6CRK.tmp
MD5
7d4f2f6d77755eb3ab2f32678b51e48e

SHA1
c42f92874abcab6b45922b6e53a0a017be1ec705

SHA256
3684dec2f56b6f8bd9f72d21e2f321bc105084a2d77d7d9b2f46821f69bbfd26

SHA512
573addc8d53bbbd1215887734c999a43bb53e3864a5a1ecacf33813f51e8b84639381e4947fdd71b0a3af0b22a86f340e7d29e835f7789cef1bb238000564f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ANEF7.tmp\vpn.tmp
MD5
6873578ee5b3b15f53cfdb774bdc9956

SHA1
d3c6ef607604fff7dc199129f205fda80932228b

SHA256
a07f9fe188bdfd00badbae40e3f51bb88c39fc648f22bd73849a4ddf5a241ef8

SHA512
b134dbb05cffc27f33e18466ca43d2d237adb8deea42b0300e6a446302fd6544f1801a6d76e98b4119103e23de5c6043e82f0aef950f3f95c630848e71297047

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ANEF7.tmp\vpn.tmp
MD5
6873578ee5b3b15f53cfdb774bdc9956

SHA1
d3c6ef607604fff7dc199129f205fda80932228b

SHA256
a07f9fe188bdfd00badbae40e3f51bb88c39fc648f22bd73849a4ddf5a241ef8

SHA512
b134dbb05cffc27f33e18466ca43d2d237adb8deea42b0300e6a446302fd6544f1801a6d76e98b4119103e23de5c6043e82f0aef950f3f95c630848e71297047

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOWXrBZU\Uk6LR.exe
MD5
6eb3504134002abaa4fbd81de85f393f

SHA1
299202602c5c3922ad0c4ce6001ef8f25e21293b

SHA256
0fe979a7b3374701bda3e5762ab7bb1decb987046e357ce9901140cc5de0eaf2

SHA512
4fe731213b1bd2a2f7db39c977b429848464c397fc0306f4267c01c1e35f0dc54d948a2f8318cced07267c9f2b0c9ba3868ab2f599ddbfaeab2325bc701d6dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOWXrBZU\Uk6LR.exe
MD5
6eb3504134002abaa4fbd81de85f393f

SHA1
299202602c5c3922ad0c4ce6001ef8f25e21293b

SHA256
0fe979a7b3374701bda3e5762ab7bb1decb987046e357ce9901140cc5de0eaf2

SHA512
4fe731213b1bd2a2f7db39c977b429848464c397fc0306f4267c01c1e35f0dc54d948a2f8318cced07267c9f2b0c9ba3868ab2f599ddbfaeab2325bc701d6dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOWXrBZU\Uk6LR.exe
MD5
6eb3504134002abaa4fbd81de85f393f

SHA1
299202602c5c3922ad0c4ce6001ef8f25e21293b

SHA256
0fe979a7b3374701bda3e5762ab7bb1decb987046e357ce9901140cc5de0eaf2

SHA512
4fe731213b1bd2a2f7db39c977b429848464c397fc0306f4267c01c1e35f0dc54d948a2f8318cced07267c9f2b0c9ba3868ab2f599ddbfaeab2325bc701d6dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\35034723711.exe
MD5
2827c9dd5be48f9cbe3e9ffdde909d39

SHA1
7a416430d93213e45dbc1b25c9b396c7e4dd82d2

SHA256
8f8475fc7dc20bda8e0d6b605bf23de4a210a2f8035144d50e724ebc072a5bce

SHA512
b825d43c592b6f15bc838d607336e801d028a02c8d3ed4f42e755c30c8196231870116a63270c43f1c118693e25a352ecd601a11988392393dfa6d5f0a99435f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\35034723711.exe
MD5
67e4eddc4e547d6f82de987d9297c254

SHA1
772121f320e37bae17546bc98ecd52365e57fa54

SHA256
304659e7abd2c3bc97183e9536cd89280f4daa7beca1885fc4edc67b65239328

SHA512
0a0286d7a4bd6eb65d50d1850e0623b563f09491c2f555cec03d94509ac57e8ce636a2d55f1bea885440da4e9bf9abf7afdb3180e6730426e92c3d2dceb906a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\48569949493.exe
MD5
e55422d97015ca9945114cebaeba4cbf

SHA1
671d3c900b4aa7b4568e8a4c61a49075fc74484b

SHA256
f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420

SHA512
9453ae884da5d039fa0ca4fc33216b1ca02d2b40831edf534d7fde16a01c045f1c49ae7935ab317cd6f515e21a9a22ee14cbf3a068627b03e334cdc115603f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\48569949493.exe
MD5
e55422d97015ca9945114cebaeba4cbf

SHA1
671d3c900b4aa7b4568e8a4c61a49075fc74484b

SHA256
f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420

SHA512
9453ae884da5d039fa0ca4fc33216b1ca02d2b40831edf534d7fde16a01c045f1c49ae7935ab317cd6f515e21a9a22ee14cbf3a068627b03e334cdc115603f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\82148791051.exe
MD5
7b3c4789e297601a4bc71948fac1e215

SHA1
7bccc6ebb5b30c647d2085509e4adf3b436329d6

SHA256
1ab86bb68ac2e405484c77de4bb809fc258f349da91d161c42f8683d0ecd6ad1

SHA512
a544354f22092170c1a5a3fa9e06fdf3143450243a481e4d2e66cc7bab0b23a464a8ebcb3c48a163aaf5311d1f2006f4ef842148d8303c200fc9ae1d9f166487

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\82148791051.exe
MD5
7b3c4789e297601a4bc71948fac1e215

SHA1
7bccc6ebb5b30c647d2085509e4adf3b436329d6

SHA256
1ab86bb68ac2e405484c77de4bb809fc258f349da91d161c42f8683d0ecd6ad1

SHA512
a544354f22092170c1a5a3fa9e06fdf3143450243a481e4d2e66cc7bab0b23a464a8ebcb3c48a163aaf5311d1f2006f4ef842148d8303c200fc9ae1d9f166487

Download Submit
\Program Files (x86)\Et\quo\Dolor.exe
MD5
1e9d3161f0585d7188a37710a36dd620

SHA1
118dc56ae7626b40a46f86e615e9fb2d6adbbfd9

SHA256
1658017cd61fd615be6d60b5a43070b22a1af34f85de40bd672f055d628d16e9

SHA512
20cc5daf59d3849d72ec465dcb8a4305ce7779f06a888f1c05540573a2015308c6372defa57b7dbc9ea5d7c6438aedce81864115f4b7a07ae4de9540fb343ddf

Download Submit
\Program Files (x86)\Et\quo\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
\Users\Admin\AppData\Local\Temp\9HnYCq6S\vpn.exe
MD5
1ed0798570272f2c94ed7b99135ee93d

SHA1
b4b66a74480623ed4bbf9af3fd4488051fb05fec

SHA256
48267762aa0f759061efa0b893dc5307f7079fdd3367cbef49ba4f9a9ff389b9

SHA512
64ef300a9f24c1d9f841ec3ec97b842a66459c5522cb4b12906dbb4eb6916cc80a03155c0a427e49a108726de1430b801d7c1768167837bb18573fc65bfcb6e0

Download Submit
\Users\Admin\AppData\Local\Temp\NOjFC4fh\kADg4mle9XU.exe
MD5
bff03beb0bebf6c97b4f75387221082e

SHA1
1e7f93dbf118748b3078a5ed7f28cb4a2e03edb1

SHA256
cfb6dbfed10c59baa25fdd15fa3649f4844c9ff7a0aa782016c71f4f0156df3b

SHA512
5fdcaa381f8b5c7edfe1868c5a19496713f48df8fd6cf58b8fa0f5e0fedc1f3369eaf2d85369c1fc039b01ddc8daa535a155c18aade01ac10ea8c35a8b3ba6a3

Download Submit
\Users\Admin\AppData\Local\Temp\NOjFC4fh\kADg4mle9XU.exe
MD5
bff03beb0bebf6c97b4f75387221082e

SHA1
1e7f93dbf118748b3078a5ed7f28cb4a2e03edb1

SHA256
cfb6dbfed10c59baa25fdd15fa3649f4844c9ff7a0aa782016c71f4f0156df3b

SHA512
5fdcaa381f8b5c7edfe1868c5a19496713f48df8fd6cf58b8fa0f5e0fedc1f3369eaf2d85369c1fc039b01ddc8daa535a155c18aade01ac10ea8c35a8b3ba6a3

Download Submit
\Users\Admin\AppData\Local\Temp\Skype.exe
MD5
4ae0cc591c73abc92591de3342de4ec0

SHA1
128612389a79288e6273b4a34e429d106e8f8091

SHA256
f3ecea3c50e711bcdd5ae2b085721d7eabd7354ee4e06dab56cad2b1d8c2c0f0

SHA512
2a290f20c8f3977e4790da06726cb2b5d4c8f9484010c5bdb4ddfba0a0d1f234ed7eea564bcfa2eca40b8befb313babbabcd72759ffa7c860089405f5933c879

Download Submit
\Users\Admin\AppData\Local\Temp\Skype.exe
MD5
4ae0cc591c73abc92591de3342de4ec0

SHA1
128612389a79288e6273b4a34e429d106e8f8091

SHA256
f3ecea3c50e711bcdd5ae2b085721d7eabd7354ee4e06dab56cad2b1d8c2c0f0

SHA512
2a290f20c8f3977e4790da06726cb2b5d4c8f9484010c5bdb4ddfba0a0d1f234ed7eea564bcfa2eca40b8befb313babbabcd72759ffa7c860089405f5933c879

Download Submit
\Users\Admin\AppData\Local\Temp\is-1JLR8.tmp\ApiTool.dll
MD5
b5e330f90e1bab5e5ee8ccb04e679687

SHA1
3360a68276a528e4b651c9019b6159315c3acca8

SHA256
2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

SHA512
41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

Download Submit
\Users\Admin\AppData\Local\Temp\is-1JLR8.tmp\InnoCallback.dll
MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-1JLR8.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-1JLR8.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-1JLR8.tmp\botva2.dll
MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-1JLR8.tmp\libMaskVPN.dll
MD5
3d88c579199498b224033b6b66638fb8

SHA1
6f6303288e2206efbf18e4716095059fada96fc4

SHA256
5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

SHA512
9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

Download Submit
\Users\Admin\AppData\Local\Temp\is-2IGHJ.tmp\is-N6CRK.tmp
MD5
7d4f2f6d77755eb3ab2f32678b51e48e

SHA1
c42f92874abcab6b45922b6e53a0a017be1ec705

SHA256
3684dec2f56b6f8bd9f72d21e2f321bc105084a2d77d7d9b2f46821f69bbfd26

SHA512
573addc8d53bbbd1215887734c999a43bb53e3864a5a1ecacf33813f51e8b84639381e4947fdd71b0a3af0b22a86f340e7d29e835f7789cef1bb238000564f14

Download Submit
\Users\Admin\AppData\Local\Temp\is-ANEF7.tmp\vpn.tmp
MD5
6873578ee5b3b15f53cfdb774bdc9956

SHA1
d3c6ef607604fff7dc199129f205fda80932228b

SHA256
a07f9fe188bdfd00badbae40e3f51bb88c39fc648f22bd73849a4ddf5a241ef8

SHA512
b134dbb05cffc27f33e18466ca43d2d237adb8deea42b0300e6a446302fd6544f1801a6d76e98b4119103e23de5c6043e82f0aef950f3f95c630848e71297047

Download Submit
\Users\Admin\AppData\Local\Temp\is-G6PT5.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-G6PT5.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-G6PT5.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\wOWXrBZU\Uk6LR.exe
MD5
6eb3504134002abaa4fbd81de85f393f

SHA1
299202602c5c3922ad0c4ce6001ef8f25e21293b

SHA256
0fe979a7b3374701bda3e5762ab7bb1decb987046e357ce9901140cc5de0eaf2

SHA512
4fe731213b1bd2a2f7db39c977b429848464c397fc0306f4267c01c1e35f0dc54d948a2f8318cced07267c9f2b0c9ba3868ab2f599ddbfaeab2325bc701d6dda

Download Submit
\Users\Admin\AppData\Local\Temp\wOWXrBZU\Uk6LR.exe
MD5
6eb3504134002abaa4fbd81de85f393f

SHA1
299202602c5c3922ad0c4ce6001ef8f25e21293b

SHA256
0fe979a7b3374701bda3e5762ab7bb1decb987046e357ce9901140cc5de0eaf2

SHA512
4fe731213b1bd2a2f7db39c977b429848464c397fc0306f4267c01c1e35f0dc54d948a2f8318cced07267c9f2b0c9ba3868ab2f599ddbfaeab2325bc701d6dda

Download Submit
\Users\Admin\AppData\Local\Temp\wOWXrBZU\Uk6LR.exe
MD5
6eb3504134002abaa4fbd81de85f393f

SHA1
299202602c5c3922ad0c4ce6001ef8f25e21293b

SHA256
0fe979a7b3374701bda3e5762ab7bb1decb987046e357ce9901140cc5de0eaf2

SHA512
4fe731213b1bd2a2f7db39c977b429848464c397fc0306f4267c01c1e35f0dc54d948a2f8318cced07267c9f2b0c9ba3868ab2f599ddbfaeab2325bc701d6dda

Download Submit
\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\48569949493.exe
MD5
e55422d97015ca9945114cebaeba4cbf

SHA1
671d3c900b4aa7b4568e8a4c61a49075fc74484b

SHA256
f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420

SHA512
9453ae884da5d039fa0ca4fc33216b1ca02d2b40831edf534d7fde16a01c045f1c49ae7935ab317cd6f515e21a9a22ee14cbf3a068627b03e334cdc115603f6f

Download Submit
\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\82148791051.exe
MD5
7b3c4789e297601a4bc71948fac1e215

SHA1
7bccc6ebb5b30c647d2085509e4adf3b436329d6

SHA256
1ab86bb68ac2e405484c77de4bb809fc258f349da91d161c42f8683d0ecd6ad1

SHA512
a544354f22092170c1a5a3fa9e06fdf3143450243a481e4d2e66cc7bab0b23a464a8ebcb3c48a163aaf5311d1f2006f4ef842148d8303c200fc9ae1d9f166487

Download Submit
\Users\Admin\AppData\Local\Temp\{B8bz-1MjeV-tvHH-Anpcg}\82148791051.exe
MD5
7b3c4789e297601a4bc71948fac1e215

SHA1
7bccc6ebb5b30c647d2085509e4adf3b436329d6

SHA256
1ab86bb68ac2e405484c77de4bb809fc258f349da91d161c42f8683d0ecd6ad1

SHA512
a544354f22092170c1a5a3fa9e06fdf3143450243a481e4d2e66cc7bab0b23a464a8ebcb3c48a163aaf5311d1f2006f4ef842148d8303c200fc9ae1d9f166487

Download Submit
memory/432-169-0x0000000000000000-mapping.dmp

Download
memory/648-80-0x0000000000000000-mapping.dmp

Download
memory/728-166-0x0000000000000000-mapping.dmp

Download
memory/728-176-0x0000000000DE0000-0x00000000014D3000-memory.dmp

Filesize
6.9MB

Download
memory/728-171-0x0000000000DE0000-0x00000000014D3000-memory.dmp

Filesize
6.9MB

Download
memory/780-174-0x0000000000000000-mapping.dmp

Download
memory/836-59-0x0000000000000000-mapping.dmp

Download
memory/836-66-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1052-90-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1052-95-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1052-91-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1052-92-0x000000000041616A-mapping.dmp

Download
memory/1156-124-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1156-105-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/1156-130-0x00000000022A1000-0x00000000022A2000-memory.dmp

Filesize
4KB

Download
memory/1156-131-0x00000000022A2000-0x00000000022A3000-memory.dmp

Filesize
4KB

Download
memory/1156-129-0x0000000000570000-0x0000000000590000-memory.dmp

Filesize
128KB

Download
memory/1156-128-0x0000000000570000-0x0000000000590000-memory.dmp

Filesize
128KB

Download
memory/1156-101-0x0000000000000000-mapping.dmp

Download
memory/1156-114-0x0000000000540000-0x000000000056F000-memory.dmp

Filesize
188KB

Download
memory/1156-107-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1156-108-0x00000000006E0000-0x000000000071A000-memory.dmp

Filesize
232KB

Download
memory/1156-132-0x00000000022A4000-0x00000000022A5000-memory.dmp

Filesize
4KB

Download
memory/1424-157-0x0000000000000000-mapping.dmp

Download
memory/1472-156-0x0000000000000000-mapping.dmp

Download
memory/1476-75-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1476-74-0x0000000000400000-0x000000000188B000-memory.dmp

Filesize
20.5MB

Download
memory/1476-73-0x0000000000400000-0x000000000188B000-memory.dmp

Filesize
20.5MB

Download
memory/1476-68-0x0000000000000000-mapping.dmp

Download
memory/1528-86-0x0000000000000000-mapping.dmp

Download
memory/1632-146-0x0000000007E10000-0x0000000007E14000-memory.dmp

Filesize
16KB

Download
memory/1632-125-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1632-121-0x0000000000000000-mapping.dmp

Download
memory/1632-134-0x0000000006FD0000-0x00000000072B0000-memory.dmp

Filesize
2.9MB

Download
memory/1632-148-0x0000000007E10000-0x0000000007E14000-memory.dmp

Filesize
16KB

Download
memory/1632-135-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/1632-141-0x0000000007E10000-0x0000000007E14000-memory.dmp

Filesize
16KB

Download
memory/1632-142-0x0000000007E10000-0x0000000007E14000-memory.dmp

Filesize
16KB

Download
memory/1632-147-0x0000000007E10000-0x0000000007E14000-memory.dmp

Filesize
16KB

Download
memory/1632-145-0x0000000007E10000-0x0000000007E14000-memory.dmp

Filesize
16KB

Download
memory/1632-144-0x0000000007E10000-0x0000000007E14000-memory.dmp

Filesize
16KB

Download
memory/1632-143-0x0000000007E10000-0x0000000007E14000-memory.dmp

Filesize
16KB

Download
memory/1640-77-0x0000000000000000-mapping.dmp

Download
memory/1660-149-0x0000000000000000-mapping.dmp

Download
memory/1668-55-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1668-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1832-97-0x0000000000000000-mapping.dmp

Download
memory/1832-110-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1844-76-0x0000000000000000-mapping.dmp

Download
memory/1904-162-0x0000000000000000-mapping.dmp

Download
memory/1964-153-0x0000000000000000-mapping.dmp

Download