revengerat | 3cf32b77fcb1783f3c5dbbf82bf6630618691f3d51dadd015a9fd43e92d7bc6d

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-03-2023 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

6.3MB
MD5

c5312ef3c2394517918f27aeec8b97b3
SHA1

9f49b322a92a3ce3914aaf30f6c8163b987ec678
SHA256

3cf32b77fcb1783f3c5dbbf82bf6630618691f3d51dadd015a9fd43e92d7bc6d
SHA512

13e6b5461d165d217a48f63052ada527b16bb9be4e1e68adf53ba2d8b895ca292e8301a86ca0d091c1449242375d069a19f5adc81bb4509d903a1a74c589fd27
SSDEEP

196608:hgcWmJcIhc9dDxt7xhw5ZV983405QYtsTEB08T8HehLvkU:7CLdltlhaZHwVdfB08TOeh9

Score

10^/10

revengerat system service evasion persistence spyware stealer trojan vmprotect

Malware Config

Extracted

Family

revengerat

Botnet

System Service

anonymous83.ddns.net:4040

Mutex

RV_MUTEX-nawrHJfWfhaRC

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

FINAL1.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions FINAL1.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	FINAL1.EXE

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1424-98-0x000000001B4C0000-0x000000001B802000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1424-98-0x000000001B4C0000-0x000000001B802000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe	Nirsoft

RevengeRat Executable 6 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE	revengerat
C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE	revengerat
C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE	revengerat
\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE	revengerat
\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE	revengerat
behavioral1/memory/1072-85-0x00000000002A0000-0x00000000002AA000-memory.dmp	revengerat

Drops file in Drivers directory 1 IoCs

Processes:

SYSTEM SERVICE.EXE

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts SYSTEM SERVICE.EXE
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

FINAL1.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools FINAL1.EXE
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

FINAL1.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FINAL1.EXE
Drops startup file 1 IoCs

Processes:

vbc.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Service.exe vbc.exe
Executes dropped EXE 6 IoCs

Processes:

PACKAGES.EXESYSTEM SERVICE.EXEFINAL.EXEFINAL1.EXERtkBtManServ.exebfsvc.exe

pid process

916 PACKAGES.EXE
1072 SYSTEM SERVICE.EXE
1140 FINAL.EXE
1548 FINAL1.EXE
1424 RtkBtManServ.exe
2036 bfsvc.exe
Loads dropped DLL 6 IoCs

Processes:

sample.exePACKAGES.EXE

pid process

848 sample.exe
848 sample.exe
848 sample.exe
848 sample.exe
916 PACKAGES.EXE
916 PACKAGES.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	SYSTEM SERVICE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	FINAL1.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FINAL1.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Service.exe	vbc.exe

pid	process
916	PACKAGES.EXE
1072	SYSTEM SERVICE.EXE
1140	FINAL.EXE
1548	FINAL1.EXE
1424	RtkBtManServ.exe
2036	bfsvc.exe

pid	process
848	sample.exe
848	sample.exe
848	sample.exe
848	sample.exe
916	PACKAGES.EXE
916	PACKAGES.EXE

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\FINAL.EXE	vmprotect
C:\Users\Admin\AppData\Roaming\FINAL.EXE	vmprotect
C:\Users\Admin\AppData\Roaming\FINAL1.EXE	vmprotect
C:\Users\Admin\AppData\Roaming\FINAL1.EXE	vmprotect
\Users\Admin\AppData\Roaming\FINAL1.EXE	vmprotect
C:\Users\Admin\AppData\Roaming\FINAL.EXE	vmprotect
behavioral1/memory/1548-84-0x00000000001C0000-0x0000000000242000-memory.dmp	vmprotect
behavioral1/memory/1140-86-0x0000000000C20000-0x0000000001516000-memory.dmp	vmprotect
behavioral1/memory/1072-87-0x0000000001FF0000-0x0000000002070000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SYSTEM SERVICE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemService = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM SERVICE.EXE"	SYSTEM SERVICE.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip4.seeip.org
6 ip4.seeip.org
7 ip4.seeip.org
13 ip-api.com
18 api64.ipify.org
19 api64.ipify.org

flow	ioc
5	ip4.seeip.org
6	ip4.seeip.org
7	ip4.seeip.org
13	ip-api.com
18	api64.ipify.org
19	api64.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

FINAL1.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	FINAL1.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	FINAL1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1532 1548 WerFault.exe FINAL1.EXE
1240 1424 WerFault.exe RtkBtManServ.exe
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

FINAL1.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S FINAL1.EXE

pid	pid_target	process	target process
1532	1548	WerFault.exe	FINAL1.EXE
1240	1424	WerFault.exe	RtkBtManServ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	FINAL1.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FINAL1.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	FINAL1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FINAL1.EXE

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

FINAL1.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	FINAL1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	FINAL1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	FINAL1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	FINAL1.EXE

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

FINAL1.EXERtkBtManServ.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	FINAL1.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RtkBtManServ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RtkBtManServ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	FINAL1.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	FINAL1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	FINAL1.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	FINAL1.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	FINAL1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RtkBtManServ.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

bfsvc.exe

pid process

2036 bfsvc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SYSTEM SERVICE.EXEFINAL1.EXERtkBtManServ.exe

description pid process

Token: SeDebugPrivilege 1072 SYSTEM SERVICE.EXE
Token: SeDebugPrivilege 1548 FINAL1.EXE
Token: SeDebugPrivilege 1424 RtkBtManServ.exe

pid	process
2036	bfsvc.exe

description	pid	process
Token: SeDebugPrivilege	1072	SYSTEM SERVICE.EXE
Token: SeDebugPrivilege	1548	FINAL1.EXE
Token: SeDebugPrivilege	1424	RtkBtManServ.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

sample.exePACKAGES.EXEFINAL.EXEFINAL1.EXERtkBtManServ.exeWScript.execmd.exeSYSTEM SERVICE.EXEvbc.exe

description	pid	process	target process
PID 848 wrote to memory of 916	848	sample.exe	PACKAGES.EXE
PID 848 wrote to memory of 916	848	sample.exe	PACKAGES.EXE
PID 848 wrote to memory of 916	848	sample.exe	PACKAGES.EXE
PID 848 wrote to memory of 916	848	sample.exe	PACKAGES.EXE
PID 848 wrote to memory of 1072	848	sample.exe	SYSTEM SERVICE.EXE
PID 848 wrote to memory of 1072	848	sample.exe	SYSTEM SERVICE.EXE
PID 848 wrote to memory of 1072	848	sample.exe	SYSTEM SERVICE.EXE
PID 848 wrote to memory of 1072	848	sample.exe	SYSTEM SERVICE.EXE
PID 916 wrote to memory of 1140	916	PACKAGES.EXE	FINAL.EXE
PID 916 wrote to memory of 1140	916	PACKAGES.EXE	FINAL.EXE
PID 916 wrote to memory of 1140	916	PACKAGES.EXE	FINAL.EXE
PID 916 wrote to memory of 1140	916	PACKAGES.EXE	FINAL.EXE
PID 916 wrote to memory of 1548	916	PACKAGES.EXE	FINAL1.EXE
PID 916 wrote to memory of 1548	916	PACKAGES.EXE	FINAL1.EXE
PID 916 wrote to memory of 1548	916	PACKAGES.EXE	FINAL1.EXE
PID 916 wrote to memory of 1548	916	PACKAGES.EXE	FINAL1.EXE
PID 1140 wrote to memory of 1424	1140	FINAL.EXE	RtkBtManServ.exe
PID 1140 wrote to memory of 1424	1140	FINAL.EXE	RtkBtManServ.exe
PID 1140 wrote to memory of 1424	1140	FINAL.EXE	RtkBtManServ.exe
PID 1548 wrote to memory of 1532	1548	FINAL1.EXE	WerFault.exe
PID 1548 wrote to memory of 1532	1548	FINAL1.EXE	WerFault.exe
PID 1548 wrote to memory of 1532	1548	FINAL1.EXE	WerFault.exe
PID 1424 wrote to memory of 456	1424	RtkBtManServ.exe	WScript.exe
PID 1424 wrote to memory of 456	1424	RtkBtManServ.exe	WScript.exe
PID 1424 wrote to memory of 456	1424	RtkBtManServ.exe	WScript.exe
PID 456 wrote to memory of 308	456	WScript.exe	cmd.exe
PID 456 wrote to memory of 308	456	WScript.exe	cmd.exe
PID 456 wrote to memory of 308	456	WScript.exe	cmd.exe
PID 308 wrote to memory of 2036	308	cmd.exe	bfsvc.exe
PID 308 wrote to memory of 2036	308	cmd.exe	bfsvc.exe
PID 308 wrote to memory of 2036	308	cmd.exe	bfsvc.exe
PID 308 wrote to memory of 2036	308	cmd.exe	bfsvc.exe
PID 1424 wrote to memory of 1240	1424	RtkBtManServ.exe	WerFault.exe
PID 1424 wrote to memory of 1240	1424	RtkBtManServ.exe	WerFault.exe
PID 1424 wrote to memory of 1240	1424	RtkBtManServ.exe	WerFault.exe
PID 1072 wrote to memory of 1896	1072	SYSTEM SERVICE.EXE	vbc.exe
PID 1072 wrote to memory of 1896	1072	SYSTEM SERVICE.EXE	vbc.exe
PID 1072 wrote to memory of 1896	1072	SYSTEM SERVICE.EXE	vbc.exe
PID 1896 wrote to memory of 576	1896	vbc.exe	cvtres.exe
PID 1896 wrote to memory of 576	1896	vbc.exe	cvtres.exe
PID 1896 wrote to memory of 576	1896	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Roaming\PACKAGES.EXE
"C:\Users\Admin\AppData\Roaming\PACKAGES.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Roaming\FINAL.EXE
"C:\Users\Admin\AppData\Roaming\FINAL.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs7OohLZbYJaRSbgsdL3qHF+VKeg3jSI1WOfwSiuA/HV0pW9mgP8G3srknd2b3lBPGQ/wYBQmiQtGN1ZgtVC4saKgVIi0+sj0BECZLtzV+WpWqdHQYq1pK/EV5nF3StzFak=
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
6⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
7⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1424 -s 2076
5⤵
- Program crash
PID:1240

C:\Users\Admin\AppData\Roaming\FINAL1.EXE
"C:\Users\Admin\AppData\Roaming\FINAL1.EXE"
3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1548 -s 1920
4⤵
- Program crash
PID:1532

C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE
"C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sjjqivzg.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBCFA.tmp"
4⤵
PID:576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Scripting

T1064

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c74b79fd7641a4174f72fd9983337f91

SHA1
f7f01cfeba1de1bab5bef86461db673fd8f39957

SHA256
0b8730aaf74c3b6f4b22c57ecd3b96033594494a1edc259cadcef33071151a77

SHA512
b184ac8af1b0edf485e7b08a6aa3c825dc2da3bad06752322590d626341329d2a041a108cbb4adfd182d7fa6fb27686adb08efc4076716b07ef508ed1d5faca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0bb48969f203c9f48701d4e59714f4ec

SHA1
d843bde29a9fe1729c88aefca4207ac172f369bd

SHA256
15226e4816e93eff06d83700583e7760381141a8ac12334781ccb48657504078

SHA512
55c74f9a6d0cbbee1b320ea473f16e41489ca551b3107b1d7ccfef0fced0219e7b90e84cb9cc30d63c71f3a8c5609e225e34cda8830b3af7a46bcefe1bb9a661

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5CC3.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD0A.tmp
Filesize
1KB

MD5
a1e8b610a3e501cdbd41502094eb9a7f

SHA1
e11f28c7943904a4ac6983fd6fd977f2aff333ff

SHA256
7d124d74a6eb7e8fe12ed9d5351104ad5144c51a75f603f6fda49cd26d4b7382

SHA512
04aff02c2cc4e97bd98eecbe2ee4e05ca7fdc2485e4fa103ac46bca24e0f690ad71c955213cfce61ba1c620aeaff4a6235864d4e1b9237ce4f1a88c3c57fb83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
Filesize
2.8MB

MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
Filesize
2.8MB

MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5E12.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg
Filesize
529B

MD5
5242530a2b65089696f3cf8e5ee02ff7

SHA1
d604293148cdd953b3368c54920c043cffe9e1c1

SHA256
239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781

SHA512
7aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
Filesize
71KB

MD5
899d3ed011eb58459b8a4fc2b81f0924

SHA1
80361f1e0b93143ec1ddfee156760f5938c85791

SHA256
5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954

SHA512
802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
Filesize
71KB

MD5
899d3ed011eb58459b8a4fc2b81f0924

SHA1
80361f1e0b93143ec1ddfee156760f5938c85791

SHA256
5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954

SHA512
802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat
Filesize
70B

MD5
d90accebb3f79fe65cd938425c07b0ae

SHA1
9df3812a88d87dd419cd9e89afa5fb1d71be0dc9

SHA256
aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e

SHA512
44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config
Filesize
107B

MD5
5cf0b95f68c3304427f858db1cdde895

SHA1
a0c5c3872307e9497f8868b9b8b956b9736a9cdf

SHA256
353de1200b65a2e89e84b32067a908103cca22ad2e51ba62c171eef3c25b73aa

SHA512
5c11c4ebcd4663d02ee3ffc19b7ec83b953dca7a7a1d2b63edaab72425a61e926ac940d99f2faa6b1baba0d28068e8f3ae64105990e0a0626ba02d8f979b455b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjjqivzg.0.vb
Filesize
158B

MD5
fe4eabc997c7a167e1fbeac9bac62c66

SHA1
e5aa37e2a368dee352b6755947c0ee03bc565bd8

SHA256
c1f7fdedad51c8b8e2c6597763eb043b571a82720879dd35ef8b4588ecf0c289

SHA512
65ef77f64dd327c3d1e6b519618d111775cee709566e56207f5f92229964feb0b31d8a9eceb756127f39d25a5ecb8c4d1aaa5eb6a458d7cd038f77a0c0e3c9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjjqivzg.cmdline
Filesize
202B

MD5
62b1a9369933584e24a192f3053409f6

SHA1
e4052be39d7b8d89530dfef33dabee261fd6c4ed

SHA256
4538cc117753990aa22445580fb3cc0d2fd3ca4d27d0b98ed2a5b4be8e6e3a1b

SHA512
b8fcf89f17933c332105aaae394d2954771f99342ec295ae7617b209e54c971c06d4c39e899abe68f618ed61fb07d3b794fbf29dc8838546fd74f97a6f41552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBCFA.tmp
Filesize
676B

MD5
751ae76305422d9d886fdecfe0ee4507

SHA1
11235253cdcce52c566cfb6a47d556a884c45aff

SHA256
55d58db029cb1d62dece14ba90803a552d1bdfcf4ea34f66e4d9f8b1d6b13cd8

SHA512
a6bee99cbc516aa567b02a0f696a015cf77410f5fa0048cf34d84eb8ff2cf34d8a85ae17a484dd7fa3f397177406b414c69846c4f0b51bdcd755a323dbfa9b76

Download Submit
C:\Users\Admin\AppData\Roaming\FINAL.EXE
Filesize
5.9MB

MD5
84f0399f855ceff7bb020bca9c3bee1b

SHA1
4988dea4cf742dab85defdc89afe3ce092fc0a87

SHA256
bfcf07ea2e027d038aadc5f9986b28f2f262ae845541946592d36c1c16a0c5fd

SHA512
79c1698044afcde69938a7de67c24db5c0084e7a5f7a4f8a72203d150a2f783152aa5392c9df276374cd556b63508c32a218c989fe7e71aef1c077e39a97a7a6

Download Submit
C:\Users\Admin\AppData\Roaming\FINAL.EXE
Filesize
5.9MB

MD5
84f0399f855ceff7bb020bca9c3bee1b

SHA1
4988dea4cf742dab85defdc89afe3ce092fc0a87

SHA256
bfcf07ea2e027d038aadc5f9986b28f2f262ae845541946592d36c1c16a0c5fd

SHA512
79c1698044afcde69938a7de67c24db5c0084e7a5f7a4f8a72203d150a2f783152aa5392c9df276374cd556b63508c32a218c989fe7e71aef1c077e39a97a7a6

Download Submit
C:\Users\Admin\AppData\Roaming\FINAL1.EXE
Filesize
293KB

MD5
7bb3828c90ffa74016c20224368bd2b5

SHA1
f63228f3a89bea826c1d037c2a9f181dea34e2d4

SHA256
53acddd69e775049cd52ff66bf615a382548c2db2683726e79b14c1ddd9e4e03

SHA512
bb86b536828b0e42f0f9fe22ce53bdff95aeb335716b2dc43dd36aead66695d9990030911515b6e604c142d50599a759d5b59c07d20d0d178ac29e0498f73fe4

Download Submit
C:\Users\Admin\AppData\Roaming\FINAL1.EXE
Filesize
293KB

MD5
7bb3828c90ffa74016c20224368bd2b5

SHA1
f63228f3a89bea826c1d037c2a9f181dea34e2d4

SHA256
53acddd69e775049cd52ff66bf615a382548c2db2683726e79b14c1ddd9e4e03

SHA512
bb86b536828b0e42f0f9fe22ce53bdff95aeb335716b2dc43dd36aead66695d9990030911515b6e604c142d50599a759d5b59c07d20d0d178ac29e0498f73fe4

Download Submit
C:\Users\Admin\AppData\Roaming\PACKAGES.EXE
Filesize
6.3MB

MD5
671fcb9a314f9edfb0b5367bf8c2a237

SHA1
d394d5b923500848b28b1eda036a1be6118526b4

SHA256
52c914532d0997ad55f7ec16c17e81a303265a745f3b69dbddc088564a6ad910

SHA512
10c2f57d5b6766841e248b9c63c5761240f417f0e7fcb1684c02116d9b97686a1d4c2d61382050e1049306ed139ea50ad65d034ddfc389920d2a2f6367f50712

Download Submit
C:\Users\Admin\AppData\Roaming\PACKAGES.EXE
Filesize
6.3MB

MD5
671fcb9a314f9edfb0b5367bf8c2a237

SHA1
d394d5b923500848b28b1eda036a1be6118526b4

SHA256
52c914532d0997ad55f7ec16c17e81a303265a745f3b69dbddc088564a6ad910

SHA512
10c2f57d5b6766841e248b9c63c5761240f417f0e7fcb1684c02116d9b97686a1d4c2d61382050e1049306ed139ea50ad65d034ddfc389920d2a2f6367f50712

Download Submit
C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE
Filesize
18KB

MD5
965dedfcd9f0a710b833ab55e46516cb

SHA1
25e03377de7902f58fb56674313e5463fbaa2131

SHA256
98920cd3d32ee2cf01fe1f6b42c3bc7779c1d679c56018d470a0a0e1eb2f3288

SHA512
c0bbfbf5a4b41862166556aac69aefad9f8ded98b7d8d20960bb6bd8b0929fe563b7dcf4142009d95e8b204ff365f810b7d481d3d28fd8a0355c23290237925f

Download Submit
C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE
Filesize
18KB

MD5
965dedfcd9f0a710b833ab55e46516cb

SHA1
25e03377de7902f58fb56674313e5463fbaa2131

SHA256
98920cd3d32ee2cf01fe1f6b42c3bc7779c1d679c56018d470a0a0e1eb2f3288

SHA512
c0bbfbf5a4b41862166556aac69aefad9f8ded98b7d8d20960bb6bd8b0929fe563b7dcf4142009d95e8b204ff365f810b7d481d3d28fd8a0355c23290237925f

Download Submit
C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE
Filesize
18KB

MD5
965dedfcd9f0a710b833ab55e46516cb

SHA1
25e03377de7902f58fb56674313e5463fbaa2131

SHA256
98920cd3d32ee2cf01fe1f6b42c3bc7779c1d679c56018d470a0a0e1eb2f3288

SHA512
c0bbfbf5a4b41862166556aac69aefad9f8ded98b7d8d20960bb6bd8b0929fe563b7dcf4142009d95e8b204ff365f810b7d481d3d28fd8a0355c23290237925f

Download Submit
\Users\Admin\AppData\Roaming\FINAL.EXE
Filesize
5.9MB

MD5
84f0399f855ceff7bb020bca9c3bee1b

SHA1
4988dea4cf742dab85defdc89afe3ce092fc0a87

SHA256
bfcf07ea2e027d038aadc5f9986b28f2f262ae845541946592d36c1c16a0c5fd

SHA512
79c1698044afcde69938a7de67c24db5c0084e7a5f7a4f8a72203d150a2f783152aa5392c9df276374cd556b63508c32a218c989fe7e71aef1c077e39a97a7a6

Download Submit
\Users\Admin\AppData\Roaming\FINAL1.EXE
Filesize
293KB

MD5
7bb3828c90ffa74016c20224368bd2b5

SHA1
f63228f3a89bea826c1d037c2a9f181dea34e2d4

SHA256
53acddd69e775049cd52ff66bf615a382548c2db2683726e79b14c1ddd9e4e03

SHA512
bb86b536828b0e42f0f9fe22ce53bdff95aeb335716b2dc43dd36aead66695d9990030911515b6e604c142d50599a759d5b59c07d20d0d178ac29e0498f73fe4

Download Submit
\Users\Admin\AppData\Roaming\PACKAGES.EXE
Filesize
6.3MB

MD5
671fcb9a314f9edfb0b5367bf8c2a237

SHA1
d394d5b923500848b28b1eda036a1be6118526b4

SHA256
52c914532d0997ad55f7ec16c17e81a303265a745f3b69dbddc088564a6ad910

SHA512
10c2f57d5b6766841e248b9c63c5761240f417f0e7fcb1684c02116d9b97686a1d4c2d61382050e1049306ed139ea50ad65d034ddfc389920d2a2f6367f50712

Download Submit
\Users\Admin\AppData\Roaming\PACKAGES.EXE
Filesize
6.3MB

MD5
671fcb9a314f9edfb0b5367bf8c2a237

SHA1
d394d5b923500848b28b1eda036a1be6118526b4

SHA256
52c914532d0997ad55f7ec16c17e81a303265a745f3b69dbddc088564a6ad910

SHA512
10c2f57d5b6766841e248b9c63c5761240f417f0e7fcb1684c02116d9b97686a1d4c2d61382050e1049306ed139ea50ad65d034ddfc389920d2a2f6367f50712

Download Submit
\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE
Filesize
18KB

MD5
965dedfcd9f0a710b833ab55e46516cb

SHA1
25e03377de7902f58fb56674313e5463fbaa2131

SHA256
98920cd3d32ee2cf01fe1f6b42c3bc7779c1d679c56018d470a0a0e1eb2f3288

SHA512
c0bbfbf5a4b41862166556aac69aefad9f8ded98b7d8d20960bb6bd8b0929fe563b7dcf4142009d95e8b204ff365f810b7d481d3d28fd8a0355c23290237925f

Download Submit
\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE
Filesize
18KB

MD5
965dedfcd9f0a710b833ab55e46516cb

SHA1
25e03377de7902f58fb56674313e5463fbaa2131

SHA256
98920cd3d32ee2cf01fe1f6b42c3bc7779c1d679c56018d470a0a0e1eb2f3288

SHA512
c0bbfbf5a4b41862166556aac69aefad9f8ded98b7d8d20960bb6bd8b0929fe563b7dcf4142009d95e8b204ff365f810b7d481d3d28fd8a0355c23290237925f

Download Submit
memory/1072-87-0x0000000001FF0000-0x0000000002070000-memory.dmp

Filesize
512KB

Download
memory/1072-85-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/1140-86-0x0000000000C20000-0x0000000001516000-memory.dmp

Filesize
9.0MB

Download
memory/1424-98-0x000000001B4C0000-0x000000001B802000-memory.dmp

Filesize
3.3MB

Download
memory/1424-199-0x0000000000750000-0x0000000000780000-memory.dmp

Filesize
192KB

Download
memory/1424-202-0x00000000020C0000-0x00000000020F2000-memory.dmp

Filesize
200KB

Download
memory/1424-201-0x0000000000930000-0x000000000094A000-memory.dmp

Filesize
104KB

Download
memory/1424-222-0x000000001A960000-0x000000001A968000-memory.dmp

Filesize
32KB

Download
memory/1424-97-0x0000000000970000-0x0000000000C4A000-memory.dmp

Filesize
2.9MB

Download
memory/1424-200-0x0000000000920000-0x000000000092C000-memory.dmp

Filesize
48KB

Download
memory/1424-203-0x000000001BBF0000-0x000000001BC92000-memory.dmp

Filesize
648KB

Download
memory/1424-106-0x000000001B190000-0x000000001B210000-memory.dmp

Filesize
512KB

Download
memory/1424-100-0x0000000002400000-0x00000000024B0000-memory.dmp

Filesize
704KB

Download
memory/1424-99-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/1548-228-0x000000001A800000-0x000000001A880000-memory.dmp

Filesize
512KB

Download
memory/1548-89-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1548-88-0x000000001A800000-0x000000001A880000-memory.dmp

Filesize
512KB

Download
memory/1548-84-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download