njrat | a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
22-09-2022 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Size

663KB
MD5

e4df57bd77bee2f9c9e3ea85d9140cc7
SHA1

a382fdddc8b9c47d57878c8e3a24bd991400a76b
SHA256

a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc
SHA512

81c8414cb0abef54c40a62ba9fca850d3d1bd6a71296979a36e9db4a340b42cf1d9225997317db9e1b56a9f51f82f18d109a6b73171ab1306d7120a97e7cde26
SSDEEP

12288:huk4uHbAxQCDsAePggw38ZFjejph6YKg4Mk0V/hDix9WE3QqH3csD4z:hJt7AGMExw38ZFjejph6YKg4MLC33csW

Score

10^/10

njrat hacked evasion persistence ransomware spyware stealer trojan vmprotect

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

198.54.133.72:59249

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

juscheduler.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3" juscheduler.exe
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	juscheduler.exe

Executes dropped EXE 8 IoCs

Processes:

KernelUpdate1.exeKernelUpdate2.exejuscheduler.exeVisualUpdater-Text.exejuscheduler-2.exeVisualStudioUpdaterTmp.exeServer.exeServer.exe

pid	process
996	KernelUpdate1.exe
1760	KernelUpdate2.exe
1464	juscheduler.exe
1544	VisualUpdater-Text.exe
1248	juscheduler-2.exe
560	VisualStudioUpdaterTmp.exe
1948	Server.exe
1660	Server.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

KernelUpdate2.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ExpandGet.png.Cry	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\Pictures\MountGrant.raw.Cry	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\Pictures\PushUnregister.raw.Cry	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\Pictures\ShowGrant.tiff.Cry	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\Pictures\StopSet.tiff.Cry	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockExit.tif.Cry	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateGet.tiff.Cry	KernelUpdate2.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\juscheduler-2.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\juscheduler-2.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\juscheduler-2.exe	vmprotect
behavioral1/memory/1248-90-0x0000000000CA0000-0x0000000000D18000-memory.dmp	vmprotect

Drops startup file 4 IoCs

Processes:

KernelUpdate2.exeKernelUpdate1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qRERbdKw22juwi2Y.exe	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qRERbdKw22juwi2Y.exe	KernelUpdate2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	KernelUpdate1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	KernelUpdate1.exe

Loads dropped DLL 13 IoCs

Processes:

HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.execmd.exeWerFault.exe

pid	process
1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
1736	cmd.exe
1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
880
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

juscheduler.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection juscheduler.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	juscheduler.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

KernelUpdate1.exeHEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\KernelUpdate1.exe\" .."	KernelUpdate1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Device Association Framework Provider Host.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe"	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\KernelUpdate1.exe\" .."	KernelUpdate1.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com
14 api64.ipify.org
15 api64.ipify.org

flow	ioc
22	ip-api.com
14	api64.ipify.org
15	api64.ipify.org

Drops file in System32 directory 2 IoCs

Processes:

juscheduler.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	juscheduler.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	juscheduler.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

KernelUpdate2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cry.img"	KernelUpdate2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1340 1364 WerFault.exe HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

820 schtasks.exe

pid	pid_target	process	target process
1340	1364	WerFault.exe	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe

pid	process
820	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exejuscheduler.exe

pid	process
1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
1464	juscheduler.exe
1464	juscheduler.exe
1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

KernelUpdate1.exe

pid process

996 KernelUpdate1.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exeKernelUpdate1.exevssvc.exeKernelUpdate2.exe

description	pid	process
Token: SeDebugPrivilege	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Token: SeDebugPrivilege	996	KernelUpdate1.exe
Token: 33	996	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	996	KernelUpdate1.exe
Token: 33	996	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	996	KernelUpdate1.exe
Token: SeBackupPrivilege	1580	vssvc.exe
Token: SeRestorePrivilege	1580	vssvc.exe
Token: SeAuditPrivilege	1580	vssvc.exe
Token: SeDebugPrivilege	1760	KernelUpdate2.exe
Token: 33	996	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	996	KernelUpdate1.exe
Token: 33	996	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	996	KernelUpdate1.exe
Token: 33	996	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	996	KernelUpdate1.exe
Token: 33	996	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	996	KernelUpdate1.exe
Token: 33	996	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	996	KernelUpdate1.exe
Token: 33	996	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	996	KernelUpdate1.exe
Token: 33	996	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	996	KernelUpdate1.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.execmd.exeKernelUpdate1.exetaskeng.exe

description	pid	process	target process
PID 1364 wrote to memory of 996	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate1.exe
PID 1364 wrote to memory of 996	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate1.exe
PID 1364 wrote to memory of 996	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate1.exe
PID 1364 wrote to memory of 996	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate1.exe
PID 1364 wrote to memory of 996	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate1.exe
PID 1364 wrote to memory of 996	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate1.exe
PID 1364 wrote to memory of 996	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate1.exe
PID 1364 wrote to memory of 1760	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate2.exe
PID 1364 wrote to memory of 1760	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate2.exe
PID 1364 wrote to memory of 1760	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate2.exe
PID 1364 wrote to memory of 1760	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate2.exe
PID 1364 wrote to memory of 1736	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	cmd.exe
PID 1364 wrote to memory of 1736	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	cmd.exe
PID 1364 wrote to memory of 1736	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	cmd.exe
PID 1364 wrote to memory of 1736	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	cmd.exe
PID 1736 wrote to memory of 1464	1736	cmd.exe	juscheduler.exe
PID 1736 wrote to memory of 1464	1736	cmd.exe	juscheduler.exe
PID 1736 wrote to memory of 1464	1736	cmd.exe	juscheduler.exe
PID 1736 wrote to memory of 1464	1736	cmd.exe	juscheduler.exe
PID 1364 wrote to memory of 1544	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualUpdater-Text.exe
PID 1364 wrote to memory of 1544	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualUpdater-Text.exe
PID 1364 wrote to memory of 1544	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualUpdater-Text.exe
PID 1364 wrote to memory of 1544	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualUpdater-Text.exe
PID 1364 wrote to memory of 1544	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualUpdater-Text.exe
PID 1364 wrote to memory of 1544	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualUpdater-Text.exe
PID 1364 wrote to memory of 1544	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualUpdater-Text.exe
PID 996 wrote to memory of 820	996	KernelUpdate1.exe	schtasks.exe
PID 996 wrote to memory of 820	996	KernelUpdate1.exe	schtasks.exe
PID 996 wrote to memory of 820	996	KernelUpdate1.exe	schtasks.exe
PID 996 wrote to memory of 820	996	KernelUpdate1.exe	schtasks.exe
PID 1364 wrote to memory of 1248	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	juscheduler-2.exe
PID 1364 wrote to memory of 1248	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	juscheduler-2.exe
PID 1364 wrote to memory of 1248	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	juscheduler-2.exe
PID 1364 wrote to memory of 1248	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	juscheduler-2.exe
PID 1364 wrote to memory of 560	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualStudioUpdaterTmp.exe
PID 1364 wrote to memory of 560	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualStudioUpdaterTmp.exe
PID 1364 wrote to memory of 560	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualStudioUpdaterTmp.exe
PID 1364 wrote to memory of 560	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualStudioUpdaterTmp.exe
PID 1364 wrote to memory of 1620	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	netsh.exe
PID 1364 wrote to memory of 1620	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	netsh.exe
PID 1364 wrote to memory of 1620	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	netsh.exe
PID 1364 wrote to memory of 1620	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	netsh.exe
PID 1364 wrote to memory of 1340	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	WerFault.exe
PID 1364 wrote to memory of 1340	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	WerFault.exe
PID 1364 wrote to memory of 1340	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	WerFault.exe
PID 1364 wrote to memory of 1340	1364	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	WerFault.exe
PID 1912 wrote to memory of 1948	1912	taskeng.exe	Server.exe
PID 1912 wrote to memory of 1948	1912	taskeng.exe	Server.exe
PID 1912 wrote to memory of 1948	1912	taskeng.exe	Server.exe
PID 1912 wrote to memory of 1948	1912	taskeng.exe	Server.exe
PID 1912 wrote to memory of 1660	1912	taskeng.exe	Server.exe
PID 1912 wrote to memory of 1660	1912	taskeng.exe	Server.exe
PID 1912 wrote to memory of 1660	1912	taskeng.exe	Server.exe
PID 1912 wrote to memory of 1660	1912	taskeng.exe	Server.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\KernelUpdate1.exe
"C:\Users\Admin\AppData\Local\Temp\KernelUpdate1.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
3⤵
- Creates scheduled task(s)
PID:820

C:\Users\Admin\AppData\Local\Temp\KernelUpdate2.exe
"C:\Users\Admin\AppData\Local\Temp\KernelUpdate2.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C juscheduler /D
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\juscheduler.exe
juscheduler /D
3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1464

C:\Users\Admin\AppData\Local\Temp\VisualUpdater-Text.exe
"C:\Users\Admin\AppData\Local\Temp\VisualUpdater-Text.exe"
2⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\AppData\Local\Temp\juscheduler-2.exe
"C:\Users\Admin\AppData\Local\Temp\juscheduler-2.exe"
2⤵
- Executes dropped EXE
PID:1248

C:\Users\Admin\AppData\Local\Temp\VisualStudioUpdaterTmp.exe
"C:\Users\Admin\AppData\Local\Temp\VisualStudioUpdaterTmp.exe" -f json
2⤵
- Executes dropped EXE
PID:560

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
2⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2132
2⤵
- Loads dropped DLL
- Program crash
PID:1340

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1936

C:\Windows\system32\taskeng.exe
taskeng.exe {19C46C3E-C2FA-4449-9CC5-2DA9BB2433F7} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Executes dropped EXE
PID:1948

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JavaLog714.txt
Filesize
24B

MD5
6ddac8dbf280190fda6f9ecc3167f804

SHA1
492ddc39d5467c84fa2a6e12a8dcf943cf4e2150

SHA256
e0d3567dc1fc114253fc66724b5e226ff1907a767abef8f684e3b7359719ab55

SHA512
77dafbba153b620ea5fced1d91dee2c9fbe80a5ac555929d2cf5c023a931dbd2a980cb719d28652779f9e785e45b772f98270ac7737f403e691fb0e2642789ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\KernelUpdate1.exe
Filesize
43KB

MD5
08217ec28a87d1311d51fb77d5eea37e

SHA1
d689cf420858c8fa2a2b819e6e62272c149b0fef

SHA256
7b11cf9dec3d302762fad7170f6d901ff1512f41c62ffc4d29c6122a5b7440e4

SHA512
8184eebc9e045a7c24726c25e63a5c45bfe538fb7a5979d9a0162818af181019919d0718320bfb9309036f9790823b05be98c4101388a2202f1598e247deb743

Download Submit
C:\Users\Admin\AppData\Local\Temp\KernelUpdate1.exe
Filesize
43KB

MD5
08217ec28a87d1311d51fb77d5eea37e

SHA1
d689cf420858c8fa2a2b819e6e62272c149b0fef

SHA256
7b11cf9dec3d302762fad7170f6d901ff1512f41c62ffc4d29c6122a5b7440e4

SHA512
8184eebc9e045a7c24726c25e63a5c45bfe538fb7a5979d9a0162818af181019919d0718320bfb9309036f9790823b05be98c4101388a2202f1598e247deb743

Download Submit
C:\Users\Admin\AppData\Local\Temp\KernelUpdate2.exe
Filesize
213KB

MD5
93f60615483ac2d688014fb8abb49493

SHA1
a9e62e660df816b144eedf50634f79bad4ae5aaa

SHA256
e8a21b70b0c351d344ff21ac0c90a1d1473baeb5448c75a93fc892627d63481e

SHA512
195ab59e26050c8d9d00778556a30e76a88e69f625041623e74c56fbf226383ce3fc41d0c7a93fbed9a13f1399d4491e4c38e30f6452653f6518f69b23dfa202

Download Submit
C:\Users\Admin\AppData\Local\Temp\KernelUpdate2.exe
Filesize
213KB

MD5
93f60615483ac2d688014fb8abb49493

SHA1
a9e62e660df816b144eedf50634f79bad4ae5aaa

SHA256
e8a21b70b0c351d344ff21ac0c90a1d1473baeb5448c75a93fc892627d63481e

SHA512
195ab59e26050c8d9d00778556a30e76a88e69f625041623e74c56fbf226383ce3fc41d0c7a93fbed9a13f1399d4491e4c38e30f6452653f6518f69b23dfa202

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
08217ec28a87d1311d51fb77d5eea37e

SHA1
d689cf420858c8fa2a2b819e6e62272c149b0fef

SHA256
7b11cf9dec3d302762fad7170f6d901ff1512f41c62ffc4d29c6122a5b7440e4

SHA512
8184eebc9e045a7c24726c25e63a5c45bfe538fb7a5979d9a0162818af181019919d0718320bfb9309036f9790823b05be98c4101388a2202f1598e247deb743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
08217ec28a87d1311d51fb77d5eea37e

SHA1
d689cf420858c8fa2a2b819e6e62272c149b0fef

SHA256
7b11cf9dec3d302762fad7170f6d901ff1512f41c62ffc4d29c6122a5b7440e4

SHA512
8184eebc9e045a7c24726c25e63a5c45bfe538fb7a5979d9a0162818af181019919d0718320bfb9309036f9790823b05be98c4101388a2202f1598e247deb743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
08217ec28a87d1311d51fb77d5eea37e

SHA1
d689cf420858c8fa2a2b819e6e62272c149b0fef

SHA256
7b11cf9dec3d302762fad7170f6d901ff1512f41c62ffc4d29c6122a5b7440e4

SHA512
8184eebc9e045a7c24726c25e63a5c45bfe538fb7a5979d9a0162818af181019919d0718320bfb9309036f9790823b05be98c4101388a2202f1598e247deb743

Download Submit
C:\Users\Admin\AppData\Local\Temp\VisualStudioUpdaterTmp.exe
Filesize
5.8MB

MD5
b7b1d390baaf579925ec6a33b6beeec8

SHA1
5adc077b6f3bb003612bee45dde4048c0b3badf7

SHA256
1a774eda0f7432744cecdfddf9f0e6d69fa1d89cba0530928d56db6a564a4cbb

SHA512
50be590f78123b67ad8c56010e07d7f713bf86c8bc1e21d857422667fd8b2c40cd45df06bf3b88c91e18a5c1bb749df4c33a109ff18a5c783320a85d5679cc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\VisualUpdater-Text.exe
Filesize
287KB

MD5
46ba1202b6647cd0c5f4313074521505

SHA1
0fd9cabf93ec4adf41837630c689399d5a0480bc

SHA256
2df6b0ff15250c330493d9ac2e4b8b69f96b80340539ba7fc66376ee6019ed74

SHA512
8c09b7bfcf8d1e09d4425d180c8ee7c623809f807508c344310f6aa70207f1163650b41b4f31af99361df41249f4aa48a098437cd65636557c100dae0433faae

Download Submit
C:\Users\Admin\AppData\Local\Temp\VisualUpdater-Text.exe
Filesize
287KB

MD5
46ba1202b6647cd0c5f4313074521505

SHA1
0fd9cabf93ec4adf41837630c689399d5a0480bc

SHA256
2df6b0ff15250c330493d9ac2e4b8b69f96b80340539ba7fc66376ee6019ed74

SHA512
8c09b7bfcf8d1e09d4425d180c8ee7c623809f807508c344310f6aa70207f1163650b41b4f31af99361df41249f4aa48a098437cd65636557c100dae0433faae

Download Submit
C:\Users\Admin\AppData\Local\Temp\juscheduler-2.exe
Filesize
269KB

MD5
0aa1ab3c5fb489bcafd94c3531b78155

SHA1
8ae2e42d5330ab4eddb9790beb17c856ad8d7b6b

SHA256
376aa36dd9b2e2615005f04e75b27a63e12f398cc3df9f4a752d26760a29635a

SHA512
8d3684b3133818f9e9d4a979e62f9fc331ec6d3b34b7e4c854459332889f44bf29f6c8f8334f5c155071d4ab1b521d88fcca38360c22e8567fe0765e1350b038

Download Submit
C:\Users\Admin\AppData\Local\Temp\juscheduler-2.exe
Filesize
269KB

MD5
0aa1ab3c5fb489bcafd94c3531b78155

SHA1
8ae2e42d5330ab4eddb9790beb17c856ad8d7b6b

SHA256
376aa36dd9b2e2615005f04e75b27a63e12f398cc3df9f4a752d26760a29635a

SHA512
8d3684b3133818f9e9d4a979e62f9fc331ec6d3b34b7e4c854459332889f44bf29f6c8f8334f5c155071d4ab1b521d88fcca38360c22e8567fe0765e1350b038

Download Submit
C:\Users\Admin\AppData\Local\Temp\juscheduler.exe
Filesize
763KB

MD5
0a50081a6cd37aea0945c91de91c5d97

SHA1
755309c6d9fa4cd13b6c867cde01cc1e0d415d00

SHA256
6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b

SHA512
f0a4e9a3dc065df2182527b17077c822d4535db86bf61f5ee795ee469b15159560a8e81e60d3037f3de1bb38e92f0fc8a422c2656882650d699e2b96948f9846

Download Submit
C:\Users\Admin\AppData\Local\Temp\juscheduler.exe
Filesize
763KB

MD5
0a50081a6cd37aea0945c91de91c5d97

SHA1
755309c6d9fa4cd13b6c867cde01cc1e0d415d00

SHA256
6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b

SHA512
f0a4e9a3dc065df2182527b17077c822d4535db86bf61f5ee795ee469b15159560a8e81e60d3037f3de1bb38e92f0fc8a422c2656882650d699e2b96948f9846

Download Submit
C:\Users\Admin\AppData\Local\Temp\mat-debug8787.txt
Filesize
24B

MD5
6ddac8dbf280190fda6f9ecc3167f804

SHA1
492ddc39d5467c84fa2a6e12a8dcf943cf4e2150

SHA256
e0d3567dc1fc114253fc66724b5e226ff1907a767abef8f684e3b7359719ab55

SHA512
77dafbba153b620ea5fced1d91dee2c9fbe80a5ac555929d2cf5c023a931dbd2a980cb719d28652779f9e785e45b772f98270ac7737f403e691fb0e2642789ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\chrome_cookie.json
Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\chrome_credit.json
Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\chrome_download.json
Filesize
5B

MD5
674441960ca1ba2de08ad4e50c9fde98

SHA1
d910b02871075d3156ec8675dfc95b7d5d640aa6

SHA256
38e0b9de817f645c4bec37c0d4a3e58baecccb040f5718dc069a72c7385a0bed

SHA512
f96f4e45908897091e943fce1cefceaf213ed5746b997b97187b3e6e989476132e2358b2c5af4ec8942b3c00d6f8d1273e539d1b2ea82aef6c0a92a312d88a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\chrome_history.json
Filesize
5B

MD5
674441960ca1ba2de08ad4e50c9fde98

SHA1
d910b02871075d3156ec8675dfc95b7d5d640aa6

SHA256
38e0b9de817f645c4bec37c0d4a3e58baecccb040f5718dc069a72c7385a0bed

SHA512
f96f4e45908897091e943fce1cefceaf213ed5746b997b97187b3e6e989476132e2358b2c5af4ec8942b3c00d6f8d1273e539d1b2ea82aef6c0a92a312d88a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\chrome_password.json
Filesize
5B

MD5
674441960ca1ba2de08ad4e50c9fde98

SHA1
d910b02871075d3156ec8675dfc95b7d5d640aa6

SHA256
38e0b9de817f645c4bec37c0d4a3e58baecccb040f5718dc069a72c7385a0bed

SHA512
f96f4e45908897091e943fce1cefceaf213ed5746b997b97187b3e6e989476132e2358b2c5af4ec8942b3c00d6f8d1273e539d1b2ea82aef6c0a92a312d88a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\firefox_bookmark.json
Filesize
576B

MD5
480e14f9dda72f4478e58922b76e0d62

SHA1
528732155959e851fddcfdd4a1f0087f8d74697b

SHA256
7de5e32b6d1724ec5d14bc2dc8a0185a25d6f10d30ad66de3d5a9203c64efc35

SHA512
bf1e675dde4e11fe756e9be94824ed00cf37767f3898756802a2d9b45bcc19b4633800c68d4c5b98eaf3e3e909b8af892ef42aa6f3b63f74828a69613eb36a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\firefox_cookie.json
Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\firefox_download.json
Filesize
5B

MD5
674441960ca1ba2de08ad4e50c9fde98

SHA1
d910b02871075d3156ec8675dfc95b7d5d640aa6

SHA256
38e0b9de817f645c4bec37c0d4a3e58baecccb040f5718dc069a72c7385a0bed

SHA512
f96f4e45908897091e943fce1cefceaf213ed5746b997b97187b3e6e989476132e2358b2c5af4ec8942b3c00d6f8d1273e539d1b2ea82aef6c0a92a312d88a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\firefox_history.json
Filesize
819B

MD5
6292afd08e57618985860d5517e5e09b

SHA1
ea3abe1ce8927c84b5be1a7ccbe0ccade14e5bec

SHA256
16dfc0285c4563c09b7b336cc551c9e9fefe8e2ff92bebf4dcd29e56cd2e5f56

SHA512
e75f322f79ff99e0ef2a3c8bd04feea872686ca4d9623521a0dfaa7ff67050aa9e31fb33b8084791b22be08bbb59320b82c0814e2bb86a3e196f5922536e5da4

Download Submit
\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Filesize
663KB

MD5
e4df57bd77bee2f9c9e3ea85d9140cc7

SHA1
a382fdddc8b9c47d57878c8e3a24bd991400a76b

SHA256
a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc

SHA512
81c8414cb0abef54c40a62ba9fca850d3d1bd6a71296979a36e9db4a340b42cf1d9225997317db9e1b56a9f51f82f18d109a6b73171ab1306d7120a97e7cde26

Download Submit
\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Filesize
663KB

MD5
e4df57bd77bee2f9c9e3ea85d9140cc7

SHA1
a382fdddc8b9c47d57878c8e3a24bd991400a76b

SHA256
a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc

SHA512
81c8414cb0abef54c40a62ba9fca850d3d1bd6a71296979a36e9db4a340b42cf1d9225997317db9e1b56a9f51f82f18d109a6b73171ab1306d7120a97e7cde26

Download Submit
\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Filesize
663KB

MD5
e4df57bd77bee2f9c9e3ea85d9140cc7

SHA1
a382fdddc8b9c47d57878c8e3a24bd991400a76b

SHA256
a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc

SHA512
81c8414cb0abef54c40a62ba9fca850d3d1bd6a71296979a36e9db4a340b42cf1d9225997317db9e1b56a9f51f82f18d109a6b73171ab1306d7120a97e7cde26

Download Submit
\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Filesize
663KB

MD5
e4df57bd77bee2f9c9e3ea85d9140cc7

SHA1
a382fdddc8b9c47d57878c8e3a24bd991400a76b

SHA256
a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc

SHA512
81c8414cb0abef54c40a62ba9fca850d3d1bd6a71296979a36e9db4a340b42cf1d9225997317db9e1b56a9f51f82f18d109a6b73171ab1306d7120a97e7cde26

Download Submit
\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Filesize
663KB

MD5
e4df57bd77bee2f9c9e3ea85d9140cc7

SHA1
a382fdddc8b9c47d57878c8e3a24bd991400a76b

SHA256
a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc

SHA512
81c8414cb0abef54c40a62ba9fca850d3d1bd6a71296979a36e9db4a340b42cf1d9225997317db9e1b56a9f51f82f18d109a6b73171ab1306d7120a97e7cde26

Download Submit
\Users\Admin\AppData\Local\Temp\KernelUpdate1.exe
Filesize
43KB

MD5
08217ec28a87d1311d51fb77d5eea37e

SHA1
d689cf420858c8fa2a2b819e6e62272c149b0fef

SHA256
7b11cf9dec3d302762fad7170f6d901ff1512f41c62ffc4d29c6122a5b7440e4

SHA512
8184eebc9e045a7c24726c25e63a5c45bfe538fb7a5979d9a0162818af181019919d0718320bfb9309036f9790823b05be98c4101388a2202f1598e247deb743

Download Submit
\Users\Admin\AppData\Local\Temp\KernelUpdate2.exe
Filesize
213KB

MD5
93f60615483ac2d688014fb8abb49493

SHA1
a9e62e660df816b144eedf50634f79bad4ae5aaa

SHA256
e8a21b70b0c351d344ff21ac0c90a1d1473baeb5448c75a93fc892627d63481e

SHA512
195ab59e26050c8d9d00778556a30e76a88e69f625041623e74c56fbf226383ce3fc41d0c7a93fbed9a13f1399d4491e4c38e30f6452653f6518f69b23dfa202

Download Submit
\Users\Admin\AppData\Local\Temp\VisualStudioUpdaterTmp.exe
Filesize
5.8MB

MD5
b7b1d390baaf579925ec6a33b6beeec8

SHA1
5adc077b6f3bb003612bee45dde4048c0b3badf7

SHA256
1a774eda0f7432744cecdfddf9f0e6d69fa1d89cba0530928d56db6a564a4cbb

SHA512
50be590f78123b67ad8c56010e07d7f713bf86c8bc1e21d857422667fd8b2c40cd45df06bf3b88c91e18a5c1bb749df4c33a109ff18a5c783320a85d5679cc90

Download Submit
\Users\Admin\AppData\Local\Temp\VisualStudioUpdaterTmp.exe
Filesize
5.8MB

MD5
b7b1d390baaf579925ec6a33b6beeec8

SHA1
5adc077b6f3bb003612bee45dde4048c0b3badf7

SHA256
1a774eda0f7432744cecdfddf9f0e6d69fa1d89cba0530928d56db6a564a4cbb

SHA512
50be590f78123b67ad8c56010e07d7f713bf86c8bc1e21d857422667fd8b2c40cd45df06bf3b88c91e18a5c1bb749df4c33a109ff18a5c783320a85d5679cc90

Download Submit
\Users\Admin\AppData\Local\Temp\VisualStudioUpdaterTmp.exe
Filesize
5.8MB

MD5
b7b1d390baaf579925ec6a33b6beeec8

SHA1
5adc077b6f3bb003612bee45dde4048c0b3badf7

SHA256
1a774eda0f7432744cecdfddf9f0e6d69fa1d89cba0530928d56db6a564a4cbb

SHA512
50be590f78123b67ad8c56010e07d7f713bf86c8bc1e21d857422667fd8b2c40cd45df06bf3b88c91e18a5c1bb749df4c33a109ff18a5c783320a85d5679cc90

Download Submit
\Users\Admin\AppData\Local\Temp\VisualUpdater-Text.exe
Filesize
287KB

MD5
46ba1202b6647cd0c5f4313074521505

SHA1
0fd9cabf93ec4adf41837630c689399d5a0480bc

SHA256
2df6b0ff15250c330493d9ac2e4b8b69f96b80340539ba7fc66376ee6019ed74

SHA512
8c09b7bfcf8d1e09d4425d180c8ee7c623809f807508c344310f6aa70207f1163650b41b4f31af99361df41249f4aa48a098437cd65636557c100dae0433faae

Download Submit
\Users\Admin\AppData\Local\Temp\juscheduler-2.exe
Filesize
269KB

MD5
0aa1ab3c5fb489bcafd94c3531b78155

SHA1
8ae2e42d5330ab4eddb9790beb17c856ad8d7b6b

SHA256
376aa36dd9b2e2615005f04e75b27a63e12f398cc3df9f4a752d26760a29635a

SHA512
8d3684b3133818f9e9d4a979e62f9fc331ec6d3b34b7e4c854459332889f44bf29f6c8f8334f5c155071d4ab1b521d88fcca38360c22e8567fe0765e1350b038

Download Submit
\Users\Admin\AppData\Local\Temp\juscheduler.exe
Filesize
763KB

MD5
0a50081a6cd37aea0945c91de91c5d97

SHA1
755309c6d9fa4cd13b6c867cde01cc1e0d415d00

SHA256
6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b

SHA512
f0a4e9a3dc065df2182527b17077c822d4535db86bf61f5ee795ee469b15159560a8e81e60d3037f3de1bb38e92f0fc8a422c2656882650d699e2b96948f9846

Download Submit
memory/560-95-0x0000000000000000-mapping.dmp

Download
memory/820-83-0x0000000000000000-mapping.dmp

Download
memory/996-111-0x0000000070730000-0x0000000070CDB000-memory.dmp

Filesize
5.7MB

Download
memory/996-60-0x0000000000000000-mapping.dmp

Download
memory/996-69-0x0000000070730000-0x0000000070CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1248-90-0x0000000000CA0000-0x0000000000D18000-memory.dmp

Filesize
480KB

Download
memory/1248-87-0x0000000000000000-mapping.dmp

Download
memory/1340-112-0x0000000000000000-mapping.dmp

Download
memory/1364-107-0x0000000001210000-0x000000000121C000-memory.dmp

Filesize
48KB

Download
memory/1364-57-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1364-108-0x0000000001220000-0x0000000001236000-memory.dmp

Filesize
88KB

Download
memory/1364-54-0x00000000013C0000-0x00000000014BA000-memory.dmp

Filesize
1000KB

Download
memory/1364-58-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/1464-73-0x0000000000000000-mapping.dmp

Download
memory/1544-77-0x0000000000000000-mapping.dmp

Download
memory/1544-80-0x0000000000BB0000-0x0000000000C2E000-memory.dmp

Filesize
504KB

Download
memory/1620-109-0x0000000000000000-mapping.dmp

Download
memory/1660-130-0x0000000070730000-0x0000000070CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-129-0x0000000070730000-0x0000000070CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-126-0x0000000000000000-mapping.dmp

Download
memory/1736-70-0x0000000000000000-mapping.dmp

Download
memory/1760-124-0x000000001BD57000-0x000000001BD76000-memory.dmp

Filesize
124KB

Download
memory/1760-65-0x0000000000000000-mapping.dmp

Download
memory/1760-68-0x0000000000150000-0x000000000018C000-memory.dmp

Filesize
240KB

Download
memory/1948-123-0x0000000070730000-0x0000000070CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1948-125-0x0000000070730000-0x0000000070CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1948-122-0x0000000070730000-0x0000000070CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1948-119-0x0000000000000000-mapping.dmp

Download