dcrat | 33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949

Analysis

max time kernel
150s
max time network
148s
platform
windows10-1703_x64
resource
win10-20231129-en
resource tags

arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system
submitted
02-12-2023 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
Size

298KB
MD5

324b2ca22681529774ba2fed0266bf21
SHA1

70f05e1639b2806eb9396b75e140c2c7183c072d
SHA256

33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949
SHA512

87bd04df383780c7896a73f6b2dd1ff127fe4d5acfd199a39f1345477cdca50647809cb810bf18c9fcbac330de089d70be788f2b5ff4f99d1e06c5d776aefe69
SSDEEP

6144:7JYS9PnXmCIqwQta5ZLfFXElu4GoBSUp6:7JN9PXmCIqxta5ZLZE8sBZI

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.jazi
offline_id
UlJXrkKDIkENh0vb5W9For2Yyh6riGytjO5p2St1
payload_url
http://brusuax.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iu965qqEb1 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0830Usdk

rsa_pubkey.plain

Extracted

Family

redline

Botnet

@oleh_ps

176.123.7.190:32927

Extracted

Family

vidar

Version

6.7

Botnet

aef20f7eb91ec5457d74e4fa0796c2bf

https://t.me/s4p0g

https://steamcommunity.com/profiles/76561199575355834

Attributes

profile_id_v2
aef20f7eb91ec5457d74e4fa0796c2bf

Signatures

DcRat 3 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe418B.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3171942101-2809460380-3727589934-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6a20124f-d8ae-489c-aca7-8b89049dac2a\\418B.exe\" --AutoStart"	418B.exe
2068	schtasks.exe

Detect PureLogs payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5D91.exe	family_purelogs
C:\Users\Admin\AppData\Local\Temp\5D91.exe	family_purelogs
behavioral1/memory/356-116-0x000002B6619C0000-0x000002B661B06000-memory.dmp	family_purelogs
C:\Users\Admin\AppData\Local\Temp\5D91.exe	family_purelogs

Detect ZGRat V1 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3788-136-0x000001F4652A0000-0x000001F465384000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-139-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-140-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-146-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-148-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-144-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-142-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-150-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-152-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-154-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-156-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-158-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-160-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-162-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-164-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-166-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-168-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-170-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-172-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1
behavioral1/memory/3788-174-0x000001F4652A0000-0x000001F465380000-memory.dmp	family_zgrat_v1

Detected Djvu ransomware 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/924-58-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/924-60-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/924-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4804-61-0x0000000002500000-0x000000000261B000-memory.dmp	family_djvu
behavioral1/memory/924-63-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/924-77-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1956-100-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1956-102-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1956-103-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1956-110-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1956-111-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1956-127-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1956-129-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1956-130-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1956-1676-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
PureLogs
PureLogs is an infostealer written in C#.
stealer purelogs
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1980-83-0x00000000001C0000-0x00000000001FC000-memory.dmp	family_redline
behavioral1/memory/1980-88-0x0000000000400000-0x0000000000449000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

2A68.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2A68.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2A68.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2A68.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2A68.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2A68.exe

Executes dropped EXE 15 IoCs

Processes:

1827.exe1827.exe2A68.exe418B.exe418B.exe418B.exe4F48.exe418B.exe5D91.exe5D91.exebuild2.exebuild3.exebuild3.exebuild2.exemstsca.exe

pid	process
656	1827.exe
2408	1827.exe
700	2A68.exe
4804	418B.exe
924	418B.exe
208	418B.exe
1980	4F48.exe
1956	418B.exe
356	5D91.exe
3788	5D91.exe
2244	build2.exe
2568	build3.exe
3408	build3.exe
4172	build2.exe
3964	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3264 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3264	icacls.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2A68.exe	themida
C:\Users\Admin\AppData\Local\Temp\2A68.exe	themida
behavioral1/memory/700-42-0x0000000000900000-0x0000000001328000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

418B.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3171942101-2809460380-3727589934-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6a20124f-d8ae-489c-aca7-8b89049dac2a\\418B.exe\" --AutoStart"	418B.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

2A68.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2A68.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

60 api.2ip.ua
61 api.2ip.ua
78 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2A68.exe

pid process

700 2A68.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2A68.exe

flow	ioc
60	api.2ip.ua
61	api.2ip.ua
78	api.2ip.ua

pid	process
700	2A68.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe1827.exe418B.exe418B.exe5D91.exebuild3.exebuild2.exe

description	pid	process	target process
PID 4624 set thread context of 4540	4624	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
PID 656 set thread context of 2408	656	1827.exe	1827.exe
PID 4804 set thread context of 924	4804	418B.exe	418B.exe
PID 208 set thread context of 1956	208	418B.exe	418B.exe
PID 356 set thread context of 3788	356	5D91.exe	5D91.exe
PID 2568 set thread context of 3408	2568	build3.exe	build3.exe
PID 2244 set thread context of 4172	2244	build2.exe	build2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4588	4540	WerFault.exe	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
704	4172	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2068 schtasks.exe

pid	process
2068	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae453000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877609000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030120000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	build2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe

pid	process
4540	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
4540	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320
3320

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3320
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe

pid process

4540 33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe

pid	process
3320

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

5D91.exe4F48.exe

description	pid	process
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeDebugPrivilege	356	5D91.exe
Token: SeDebugPrivilege	1980	4F48.exe
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320
Token: SeShutdownPrivilege	3320
Token: SeCreatePagefilePrivilege	3320

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3320
3320
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

3320
3320

pid	process
3320
3320

pid	process
3320
3320

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.execmd.exe1827.exe418B.exe418B.exe418B.exe5D91.exe418B.exe

description	pid	process	target process
PID 4624 wrote to memory of 4540	4624	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
PID 4624 wrote to memory of 4540	4624	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
PID 4624 wrote to memory of 4540	4624	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
PID 4624 wrote to memory of 4540	4624	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
PID 4624 wrote to memory of 4540	4624	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
PID 4624 wrote to memory of 4540	4624	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe	33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
PID 3320 wrote to memory of 656	3320		1827.exe
PID 3320 wrote to memory of 656	3320		1827.exe
PID 3320 wrote to memory of 656	3320		1827.exe
PID 3320 wrote to memory of 2332	3320		cmd.exe
PID 3320 wrote to memory of 2332	3320		cmd.exe
PID 2332 wrote to memory of 1940	2332	cmd.exe	reg.exe
PID 2332 wrote to memory of 1940	2332	cmd.exe	reg.exe
PID 656 wrote to memory of 2408	656	1827.exe	1827.exe
PID 656 wrote to memory of 2408	656	1827.exe	1827.exe
PID 656 wrote to memory of 2408	656	1827.exe	1827.exe
PID 656 wrote to memory of 2408	656	1827.exe	1827.exe
PID 656 wrote to memory of 2408	656	1827.exe	1827.exe
PID 656 wrote to memory of 2408	656	1827.exe	1827.exe
PID 3320 wrote to memory of 700	3320		2A68.exe
PID 3320 wrote to memory of 700	3320		2A68.exe
PID 3320 wrote to memory of 700	3320		2A68.exe
PID 3320 wrote to memory of 4804	3320		418B.exe
PID 3320 wrote to memory of 4804	3320		418B.exe
PID 3320 wrote to memory of 4804	3320		418B.exe
PID 4804 wrote to memory of 924	4804	418B.exe	418B.exe
PID 4804 wrote to memory of 924	4804	418B.exe	418B.exe
PID 4804 wrote to memory of 924	4804	418B.exe	418B.exe
PID 4804 wrote to memory of 924	4804	418B.exe	418B.exe
PID 4804 wrote to memory of 924	4804	418B.exe	418B.exe
PID 4804 wrote to memory of 924	4804	418B.exe	418B.exe
PID 4804 wrote to memory of 924	4804	418B.exe	418B.exe
PID 4804 wrote to memory of 924	4804	418B.exe	418B.exe
PID 4804 wrote to memory of 924	4804	418B.exe	418B.exe
PID 4804 wrote to memory of 924	4804	418B.exe	418B.exe
PID 924 wrote to memory of 3264	924	418B.exe	icacls.exe
PID 924 wrote to memory of 3264	924	418B.exe	icacls.exe
PID 924 wrote to memory of 3264	924	418B.exe	icacls.exe
PID 924 wrote to memory of 208	924	418B.exe	418B.exe
PID 924 wrote to memory of 208	924	418B.exe	418B.exe
PID 924 wrote to memory of 208	924	418B.exe	418B.exe
PID 3320 wrote to memory of 1980	3320		4F48.exe
PID 3320 wrote to memory of 1980	3320		4F48.exe
PID 3320 wrote to memory of 1980	3320		4F48.exe
PID 208 wrote to memory of 1956	208	418B.exe	418B.exe
PID 208 wrote to memory of 1956	208	418B.exe	418B.exe
PID 208 wrote to memory of 1956	208	418B.exe	418B.exe
PID 208 wrote to memory of 1956	208	418B.exe	418B.exe
PID 208 wrote to memory of 1956	208	418B.exe	418B.exe
PID 208 wrote to memory of 1956	208	418B.exe	418B.exe
PID 208 wrote to memory of 1956	208	418B.exe	418B.exe
PID 208 wrote to memory of 1956	208	418B.exe	418B.exe
PID 208 wrote to memory of 1956	208	418B.exe	418B.exe
PID 208 wrote to memory of 1956	208	418B.exe	418B.exe
PID 3320 wrote to memory of 356	3320		5D91.exe
PID 3320 wrote to memory of 356	3320		5D91.exe
PID 356 wrote to memory of 3788	356	5D91.exe	5D91.exe
PID 356 wrote to memory of 3788	356	5D91.exe	5D91.exe
PID 356 wrote to memory of 3788	356	5D91.exe	5D91.exe
PID 356 wrote to memory of 3788	356	5D91.exe	5D91.exe
PID 356 wrote to memory of 3788	356	5D91.exe	5D91.exe
PID 356 wrote to memory of 3788	356	5D91.exe	5D91.exe
PID 1956 wrote to memory of 2244	1956	418B.exe	build2.exe
PID 1956 wrote to memory of 2244	1956	418B.exe	build2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
"C:\Users\Admin\AppData\Local\Temp\33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe
"C:\Users\Admin\AppData\Local\Temp\33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949.exe"
2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 496
3⤵
- Program crash
PID:4588

C:\Users\Admin\AppData\Local\Temp\1827.exe
C:\Users\Admin\AppData\Local\Temp\1827.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Local\Temp\1827.exe
C:\Users\Admin\AppData\Local\Temp\1827.exe
2⤵
- Executes dropped EXE
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\19CD.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\2A68.exe
C:\Users\Admin\AppData\Local\Temp\2A68.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:700

C:\Users\Admin\AppData\Local\Temp\418B.exe
C:\Users\Admin\AppData\Local\Temp\418B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\418B.exe
C:\Users\Admin\AppData\Local\Temp\418B.exe
2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6a20124f-d8ae-489c-aca7-8b89049dac2a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3264

C:\Users\Admin\AppData\Local\Temp\418B.exe
"C:\Users\Admin\AppData\Local\Temp\418B.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\Temp\418B.exe
"C:\Users\Admin\AppData\Local\Temp\418B.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\9c54dd7a-e3f6-4beb-8963-b64b60b36719\build2.exe
"C:\Users\Admin\AppData\Local\9c54dd7a-e3f6-4beb-8963-b64b60b36719\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2244

C:\Users\Admin\AppData\Local\9c54dd7a-e3f6-4beb-8963-b64b60b36719\build2.exe
"C:\Users\Admin\AppData\Local\9c54dd7a-e3f6-4beb-8963-b64b60b36719\build2.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 1876
7⤵
- Program crash
PID:704

C:\Users\Admin\AppData\Local\9c54dd7a-e3f6-4beb-8963-b64b60b36719\build3.exe
"C:\Users\Admin\AppData\Local\9c54dd7a-e3f6-4beb-8963-b64b60b36719\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2568

C:\Users\Admin\AppData\Local\9c54dd7a-e3f6-4beb-8963-b64b60b36719\build3.exe
"C:\Users\Admin\AppData\Local\9c54dd7a-e3f6-4beb-8963-b64b60b36719\build3.exe"
6⤵
- Executes dropped EXE
PID:3408

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- DcRat
- Creates scheduled task(s)
PID:2068

C:\Users\Admin\AppData\Local\Temp\4F48.exe
C:\Users\Admin\AppData\Local\Temp\4F48.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Users\Admin\AppData\Local\Temp\5D91.exe
C:\Users\Admin\AppData\Local\Temp\5D91.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:356

C:\Users\Admin\AppData\Local\Temp\5D91.exe
C:\Users\Admin\AppData\Local\Temp\5D91.exe
2⤵
- Executes dropped EXE
PID:3788

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
e5925ea0049fa30db7038e409bedd6c1

SHA1
e0b26a6a87f589c83deaacf991eafd9a67fe763d

SHA256
d99a2f8591ddcb387ca4562f36aedb8d449fbad51b3c62110895485d6efb7818

SHA512
1800999f365f3838b36db444b4857c4cf6bb120262087ba41b29bedea8947cd1d4cc263f3ddc2c8b25afffa490d872a137e49097278ac0577874bc69998b662c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
5e90409ef1099f2ebfea7176854cb61d

SHA1
091f47e486a35c10387d5183b543d848fc1415a4

SHA256
547ad9476e335a96286091e94800875aa3805574a780b22e2794c06ccddd0be8

SHA512
bf5d6d25c2a01c1004471c0cd636fa8ea894bbcc0fa5a1fade91f14272b43e0c1ee5d081edf65736e7228bc031d120bcaee5605bbe829530374c13e4d90bd77c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
cbddfc9c3f87cf1f6dd3773d30d1e246

SHA1
eacbc86727d6d99ce7176a7a6830d310d73adf6b

SHA256
22d2501df613ca1138f52897005a7714eb3e4c67d7459f6ae4e76cc072d6100d

SHA512
3908780ef029e5d23633d2cea7438f920bf4f0b938bc4b09cbbaf8b7561c2af194d92733f87187c0356784ed4e48d19c1dddb79c5f1db24fc92da147358ee573

Download Submit
C:\Users\Admin\AppData\Local\6a20124f-d8ae-489c-aca7-8b89049dac2a\418B.exe

Filesize
807KB

MD5
134fd5baa172186f88ff082bd9099f9a

SHA1
a761165df803a04f4568099705b2f1eed15807fc

SHA256
f23076563fdced0c6600cf10160593ba4abc325809396d102d4c0e8a8d7af4c7

SHA512
d86f894030fa149f6dd91c5b2103ca126a4f51fa0aa2d40776dc28559514767475fe0415672e0b86ac67d7282eb1cbfb0cd23444ef494d535c8be0af206101ed

Download Submit
C:\Users\Admin\AppData\Local\9c54dd7a-e3f6-4beb-8963-b64b60b36719\build2.exe

Filesize
328KB

MD5
8d6be514da06d4376ac1effe95572578

SHA1
c2a7b7ae2e895bcfe4455e9b18f3336249a496c5

SHA256
7658a56d7ea6afcc08a4f44652e04d98b5f83b8ec232b341ffa59aa77cd568ec

SHA512
b13d721d65fb1a54f067805f72ea32e2a9ff729d0898024f880fec51647292c9a55d0c8f9498e5573eb8c5597810011dccb96167f86be44a55348c4bb65bd13a

Download Submit
C:\Users\Admin\AppData\Local\9c54dd7a-e3f6-4beb-8963-b64b60b36719\build2.exe

Filesize
328KB

MD5
8d6be514da06d4376ac1effe95572578

SHA1
c2a7b7ae2e895bcfe4455e9b18f3336249a496c5

SHA256
7658a56d7ea6afcc08a4f44652e04d98b5f83b8ec232b341ffa59aa77cd568ec

SHA512
b13d721d65fb1a54f067805f72ea32e2a9ff729d0898024f880fec51647292c9a55d0c8f9498e5573eb8c5597810011dccb96167f86be44a55348c4bb65bd13a

Download Submit
C:\Users\Admin\AppData\Local\9c54dd7a-e3f6-4beb-8963-b64b60b36719\build2.exe

Filesize
328KB

MD5
8d6be514da06d4376ac1effe95572578

SHA1
c2a7b7ae2e895bcfe4455e9b18f3336249a496c5

SHA256
7658a56d7ea6afcc08a4f44652e04d98b5f83b8ec232b341ffa59aa77cd568ec

SHA512
b13d721d65fb1a54f067805f72ea32e2a9ff729d0898024f880fec51647292c9a55d0c8f9498e5573eb8c5597810011dccb96167f86be44a55348c4bb65bd13a

Download Submit
C:\Users\Admin\AppData\Local\9c54dd7a-e3f6-4beb-8963-b64b60b36719\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\9c54dd7a-e3f6-4beb-8963-b64b60b36719\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\9c54dd7a-e3f6-4beb-8963-b64b60b36719\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5D91.exe.log

Filesize
1KB

MD5
c59f53fdcc8060e77447ed9ebf9dc926

SHA1
0f1d44782f283b315a2ad6fe37727bdc188ea21c

SHA256
cf0159b7d6cca6fe61a234db3b0902459af8a6af8b9f3e5d5c52bbb4231cd44d

SHA512
1e504b99e4bc4dbf23b7545bfb2101f51ef81558eeacac41e1c9192ecf81e6017a72e89e273023df5bd806ae71ced6cef5c0f00cf91974e75a208638bfe07f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\1827.exe

Filesize
298KB

MD5
324b2ca22681529774ba2fed0266bf21

SHA1
70f05e1639b2806eb9396b75e140c2c7183c072d

SHA256
33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949

SHA512
87bd04df383780c7896a73f6b2dd1ff127fe4d5acfd199a39f1345477cdca50647809cb810bf18c9fcbac330de089d70be788f2b5ff4f99d1e06c5d776aefe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1827.exe

Filesize
298KB

MD5
324b2ca22681529774ba2fed0266bf21

SHA1
70f05e1639b2806eb9396b75e140c2c7183c072d

SHA256
33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949

SHA512
87bd04df383780c7896a73f6b2dd1ff127fe4d5acfd199a39f1345477cdca50647809cb810bf18c9fcbac330de089d70be788f2b5ff4f99d1e06c5d776aefe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1827.exe

Filesize
298KB

MD5
324b2ca22681529774ba2fed0266bf21

SHA1
70f05e1639b2806eb9396b75e140c2c7183c072d

SHA256
33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949

SHA512
87bd04df383780c7896a73f6b2dd1ff127fe4d5acfd199a39f1345477cdca50647809cb810bf18c9fcbac330de089d70be788f2b5ff4f99d1e06c5d776aefe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1827.exe

Filesize
298KB

MD5
324b2ca22681529774ba2fed0266bf21

SHA1
70f05e1639b2806eb9396b75e140c2c7183c072d

SHA256
33ba0917e4dcbe3fc81aa6211d21144a3482f85c1438be99c78ff0616292e949

SHA512
87bd04df383780c7896a73f6b2dd1ff127fe4d5acfd199a39f1345477cdca50647809cb810bf18c9fcbac330de089d70be788f2b5ff4f99d1e06c5d776aefe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\19CD.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A68.exe

Filesize
4.0MB

MD5
ea1254ee8e517401e19da07de45150d7

SHA1
6c321952346731e4a1d8bfd4e6b3de0ca4a66590

SHA256
9a82f04f852e2f8553d3266306496aa6373cf9330ac10d5064b5f12295def0aa

SHA512
71be539f0dccd80a182f2fc19511a1daa1963fb5577fadc81a1c55946bf3b1e6a181d6e302f6cdd70664727775689430079ece0b634ae73b5087d9f05978a2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A68.exe

Filesize
4.0MB

MD5
ea1254ee8e517401e19da07de45150d7

SHA1
6c321952346731e4a1d8bfd4e6b3de0ca4a66590

SHA256
9a82f04f852e2f8553d3266306496aa6373cf9330ac10d5064b5f12295def0aa

SHA512
71be539f0dccd80a182f2fc19511a1daa1963fb5577fadc81a1c55946bf3b1e6a181d6e302f6cdd70664727775689430079ece0b634ae73b5087d9f05978a2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\418B.exe

Filesize
807KB

MD5
134fd5baa172186f88ff082bd9099f9a

SHA1
a761165df803a04f4568099705b2f1eed15807fc

SHA256
f23076563fdced0c6600cf10160593ba4abc325809396d102d4c0e8a8d7af4c7

SHA512
d86f894030fa149f6dd91c5b2103ca126a4f51fa0aa2d40776dc28559514767475fe0415672e0b86ac67d7282eb1cbfb0cd23444ef494d535c8be0af206101ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\418B.exe

Filesize
807KB

MD5
134fd5baa172186f88ff082bd9099f9a

SHA1
a761165df803a04f4568099705b2f1eed15807fc

SHA256
f23076563fdced0c6600cf10160593ba4abc325809396d102d4c0e8a8d7af4c7

SHA512
d86f894030fa149f6dd91c5b2103ca126a4f51fa0aa2d40776dc28559514767475fe0415672e0b86ac67d7282eb1cbfb0cd23444ef494d535c8be0af206101ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\418B.exe

Filesize
807KB

MD5
134fd5baa172186f88ff082bd9099f9a

SHA1
a761165df803a04f4568099705b2f1eed15807fc

SHA256
f23076563fdced0c6600cf10160593ba4abc325809396d102d4c0e8a8d7af4c7

SHA512
d86f894030fa149f6dd91c5b2103ca126a4f51fa0aa2d40776dc28559514767475fe0415672e0b86ac67d7282eb1cbfb0cd23444ef494d535c8be0af206101ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\418B.exe

Filesize
807KB

MD5
134fd5baa172186f88ff082bd9099f9a

SHA1
a761165df803a04f4568099705b2f1eed15807fc

SHA256
f23076563fdced0c6600cf10160593ba4abc325809396d102d4c0e8a8d7af4c7

SHA512
d86f894030fa149f6dd91c5b2103ca126a4f51fa0aa2d40776dc28559514767475fe0415672e0b86ac67d7282eb1cbfb0cd23444ef494d535c8be0af206101ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\418B.exe

Filesize
807KB

MD5
134fd5baa172186f88ff082bd9099f9a

SHA1
a761165df803a04f4568099705b2f1eed15807fc

SHA256
f23076563fdced0c6600cf10160593ba4abc325809396d102d4c0e8a8d7af4c7

SHA512
d86f894030fa149f6dd91c5b2103ca126a4f51fa0aa2d40776dc28559514767475fe0415672e0b86ac67d7282eb1cbfb0cd23444ef494d535c8be0af206101ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F48.exe

Filesize
287KB

MD5
6638cfc373156aa214b5021b86ddeaf3

SHA1
d05fac43a3e7305f4b6c6448dfff038f341ff932

SHA256
18ea7de00f889bbd42e1e038d6df98d325267309dbd360fec005fb7d652cb511

SHA512
9b0628dd3ca90a68f937de3621214fb30e19c56e53856d39ce70153886ddc6f40be5162f573a6af9d1d64caa49785b2c8e77792868148ca4eb0bf6abba68d137

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F48.exe

Filesize
287KB

MD5
6638cfc373156aa214b5021b86ddeaf3

SHA1
d05fac43a3e7305f4b6c6448dfff038f341ff932

SHA256
18ea7de00f889bbd42e1e038d6df98d325267309dbd360fec005fb7d652cb511

SHA512
9b0628dd3ca90a68f937de3621214fb30e19c56e53856d39ce70153886ddc6f40be5162f573a6af9d1d64caa49785b2c8e77792868148ca4eb0bf6abba68d137

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D91.exe

Filesize
1.3MB

MD5
28995fd2b7e5c574cd5c910d2f1fa923

SHA1
38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

SHA256
60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

SHA512
ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D91.exe

Filesize
1.3MB

MD5
28995fd2b7e5c574cd5c910d2f1fa923

SHA1
38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

SHA256
60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

SHA512
ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D91.exe

Filesize
1.3MB

MD5
28995fd2b7e5c574cd5c910d2f1fa923

SHA1
38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

SHA256
60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

SHA512
ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/208-101-0x00000000024C0000-0x0000000002560000-memory.dmp

Filesize
640KB

Download
memory/208-1632-0x00000000024C0000-0x0000000002560000-memory.dmp

Filesize
640KB

Download
memory/356-135-0x00007FFA255D0000-0x00007FFA25FBC000-memory.dmp

Filesize
9.9MB

Download
memory/356-123-0x000002B67C1B0000-0x000002B67C1FC000-memory.dmp

Filesize
304KB

Download
memory/356-122-0x000002B67C0E0000-0x000002B67C1A8000-memory.dmp

Filesize
800KB

Download
memory/356-120-0x000002B661EB0000-0x000002B661EC0000-memory.dmp

Filesize
64KB

Download
memory/356-121-0x000002B67C010000-0x000002B67C0D8000-memory.dmp

Filesize
800KB

Download
memory/356-119-0x00007FFA255D0000-0x00007FFA25FBC000-memory.dmp

Filesize
9.9MB

Download
memory/356-116-0x000002B6619C0000-0x000002B661B06000-memory.dmp

Filesize
1.3MB

Download
memory/356-118-0x000002B663750000-0x000002B663830000-memory.dmp

Filesize
896KB

Download
memory/656-25-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/700-34-0x00000000747D0000-0x00000000748A0000-memory.dmp

Filesize
832KB

Download
memory/700-47-0x0000000008400000-0x000000000850A000-memory.dmp

Filesize
1.0MB

Download
memory/700-32-0x0000000000900000-0x0000000001328000-memory.dmp

Filesize
10.2MB

Download
memory/700-33-0x00000000747D0000-0x00000000748A0000-memory.dmp

Filesize
832KB

Download
memory/700-90-0x0000000000900000-0x0000000001328000-memory.dmp

Filesize
10.2MB

Download
memory/700-117-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/700-92-0x00000000747D0000-0x00000000748A0000-memory.dmp

Filesize
832KB

Download
memory/700-93-0x00000000747D0000-0x00000000748A0000-memory.dmp

Filesize
832KB

Download
memory/700-35-0x0000000075930000-0x0000000075AF2000-memory.dmp

Filesize
1.8MB

Download
memory/700-95-0x0000000075930000-0x0000000075AF2000-memory.dmp

Filesize
1.8MB

Download
memory/700-50-0x0000000008510000-0x000000000855B000-memory.dmp

Filesize
300KB

Download
memory/700-49-0x0000000008370000-0x00000000083AE000-memory.dmp

Filesize
248KB

Download
memory/700-48-0x0000000008310000-0x0000000008322000-memory.dmp

Filesize
72KB

Download
memory/700-37-0x00000000747D0000-0x00000000748A0000-memory.dmp

Filesize
832KB

Download
memory/700-98-0x00000000747D0000-0x00000000748A0000-memory.dmp

Filesize
832KB

Download
memory/700-46-0x0000000009190000-0x0000000009796000-memory.dmp

Filesize
6.0MB

Download
memory/700-45-0x0000000001D00000-0x0000000001D0A000-memory.dmp

Filesize
40KB

Download
memory/700-44-0x0000000008180000-0x0000000008212000-memory.dmp

Filesize
584KB

Download
memory/700-43-0x0000000008680000-0x0000000008B7E000-memory.dmp

Filesize
5.0MB

Download
memory/700-42-0x0000000000900000-0x0000000001328000-memory.dmp

Filesize
10.2MB

Download
memory/700-41-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/700-38-0x0000000077CF4000-0x0000000077CF5000-memory.dmp

Filesize
4KB

Download
memory/924-77-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/924-58-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/924-60-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/924-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/924-63-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1956-110-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1956-100-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1956-1676-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1956-103-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1956-102-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1956-127-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1956-129-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1956-130-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1956-111-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1980-1187-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-431-0x0000000008880000-0x0000000008DAC000-memory.dmp

Filesize
5.2MB

Download
memory/1980-83-0x00000000001C0000-0x00000000001FC000-memory.dmp

Filesize
240KB

Download
memory/1980-403-0x0000000007FD0000-0x0000000008036000-memory.dmp

Filesize
408KB

Download
memory/1980-96-0x0000000007580000-0x0000000007590000-memory.dmp

Filesize
64KB

Download
memory/1980-91-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-427-0x00000000086A0000-0x0000000008862000-memory.dmp

Filesize
1.8MB

Download
memory/1980-88-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1980-675-0x0000000009F60000-0x0000000009FB0000-memory.dmp

Filesize
320KB

Download
memory/2244-1692-0x00000000046E0000-0x0000000004717000-memory.dmp

Filesize
220KB

Download
memory/2244-1691-0x0000000002AD0000-0x0000000002BD0000-memory.dmp

Filesize
1024KB

Download
memory/2408-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2568-1680-0x0000000000860000-0x0000000000864000-memory.dmp

Filesize
16KB

Download
memory/2568-1678-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/3320-5-0x00000000012E0000-0x00000000012F6000-memory.dmp

Filesize
88KB

Download
memory/3408-1690-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3788-139-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-144-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-162-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-164-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-166-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-168-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-170-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-172-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-174-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-158-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-156-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-154-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-152-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-150-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-1699-0x000001F4653D0000-0x000001F4653E0000-memory.dmp

Filesize
64KB

Download
memory/3788-1698-0x00007FFA255D0000-0x00007FFA25FBC000-memory.dmp

Filesize
9.9MB

Download
memory/3788-142-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-160-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-148-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-146-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-140-0x000001F4652A0000-0x000001F465380000-memory.dmp

Filesize
896KB

Download
memory/3788-136-0x000001F4652A0000-0x000001F465384000-memory.dmp

Filesize
912KB

Download
memory/3788-131-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3788-138-0x000001F4653D0000-0x000001F4653E0000-memory.dmp

Filesize
64KB

Download
memory/3788-137-0x00007FFA255D0000-0x00007FFA25FBC000-memory.dmp

Filesize
9.9MB

Download
memory/4172-1697-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/4172-1700-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/4172-1719-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/4540-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4540-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4540-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4624-1-0x0000000000980000-0x0000000000A80000-memory.dmp

Filesize
1024KB

Download
memory/4624-2-0x0000000000840000-0x0000000000849000-memory.dmp

Filesize
36KB

Download
memory/4804-57-0x0000000002460000-0x0000000002500000-memory.dmp

Filesize
640KB

Download
memory/4804-61-0x0000000002500000-0x000000000261B000-memory.dmp

Filesize
1.1MB

Download