djvu | 212cf81edf3cd280350b9dc6770ac93ecc254c2f54f8066bf37e2725c410389c

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02-02-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

230KB
MD5

5696e707bb2de303879e042ba9fb2681
SHA1

d31c6d321bcb949c8067b801f2565a73ad6b38a6
SHA256

212cf81edf3cd280350b9dc6770ac93ecc254c2f54f8066bf37e2725c410389c
SHA512

62eb3db3bc4e1ddc7bd107dec4d103d5f6f6155e073a40627fad43270ba405d421143e492e82765422d02c807c0d3d406a6e21475cf1a6ce7239fb3f27b7e967
SSDEEP

3072:sGTO9LytnkyFI/Kvum8OJ0iv3TGoAbyxieCh4RSf1X7QP5IStpTG:W9LYFI/bmvJ0i/aouyxR69Sn

Score

10^/10

djvu smokeloader vidar 1b9d7ec5a25ab9d78c31777a0016a097 pub1 backdoor discovery persistence ransomware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1148-137-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/1148-141-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/1148-140-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/1864-136-0x0000000000230000-0x0000000000260000-memory.dmp	family_vidar_v7
behavioral1/memory/1148-291-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2772-38-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2772-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2772-42-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1648-35-0x0000000001D60000-0x0000000001E7B000-memory.dmp	family_djvu
behavioral1/memory/2772-82-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2052-93-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2052-92-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2052-109-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2052-110-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2052-117-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2052-116-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2052-114-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2052-118-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2052-231-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

1404

pid	process
1404

Executes dropped EXE 11 IoCs

Processes:

5E46.exeE245.exeE245.exeE245.exeE245.exebuild2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe

pid	process
2664	5E46.exe
1648	E245.exe
2772	E245.exe
2092	E245.exe
2052	E245.exe
1864	build2.exe
1148	build2.exe
2924	build3.exe
2400	build3.exe
556	mstsca.exe
1192	mstsca.exe

Loads dropped DLL 15 IoCs

Processes:

E245.exeE245.exeE245.exeE245.exeWerFault.exe

pid	process
1648	E245.exe
2772	E245.exe
2772	E245.exe
2092	E245.exe
2052	E245.exe
2052	E245.exe
2052	E245.exe
2052	E245.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2312 icacls.exe

pid	process
2312	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

E245.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5d615456-f81f-4c8a-8571-aad216b89c80\\E245.exe\" --AutoStart"	E245.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 api.2ip.ua
11 api.2ip.ua
23 api.2ip.ua

flow	ioc
10	api.2ip.ua
11	api.2ip.ua
23	api.2ip.ua

Suspicious use of SetThreadContext 5 IoCs

Processes:

E245.exeE245.exebuild2.exebuild3.exemstsca.exe

description	pid	process	target process
PID 1648 set thread context of 2772	1648	E245.exe	E245.exe
PID 2092 set thread context of 2052	2092	E245.exe	E245.exe
PID 1864 set thread context of 1148	1864	build2.exe	build2.exe
PID 2924 set thread context of 2400	2924	build3.exe	build3.exe
PID 556 set thread context of 1192	556	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

968 1148 WerFault.exe build2.exe

pid	pid_target	process	target process
968	1148	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5E46.exefile.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5E46.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5E46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5E46.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1260 schtasks.exe
1280 schtasks.exe

pid	process
1260	schtasks.exe
1280	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

E245.exeE245.exebuild2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	E245.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	E245.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	E245.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	E245.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	E245.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
2872	file.exe
2872	file.exe
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

file.exe5E46.exe

pid process

2872 file.exe
2664 5E46.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1404
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1404
1404
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1404
1404

description	pid	process
Token: SeShutdownPrivilege	1404

pid	process
1404
1404

pid	process
1404
1404

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

E245.exeE245.exeE245.exeE245.exebuild2.exebuild3.exe

description	pid	process	target process
PID 1404 wrote to memory of 2664	1404		5E46.exe
PID 1404 wrote to memory of 2664	1404		5E46.exe
PID 1404 wrote to memory of 2664	1404		5E46.exe
PID 1404 wrote to memory of 2664	1404		5E46.exe
PID 1404 wrote to memory of 1648	1404		E245.exe
PID 1404 wrote to memory of 1648	1404		E245.exe
PID 1404 wrote to memory of 1648	1404		E245.exe
PID 1404 wrote to memory of 1648	1404		E245.exe
PID 1648 wrote to memory of 2772	1648	E245.exe	E245.exe
PID 1648 wrote to memory of 2772	1648	E245.exe	E245.exe
PID 1648 wrote to memory of 2772	1648	E245.exe	E245.exe
PID 1648 wrote to memory of 2772	1648	E245.exe	E245.exe
PID 1648 wrote to memory of 2772	1648	E245.exe	E245.exe
PID 1648 wrote to memory of 2772	1648	E245.exe	E245.exe
PID 1648 wrote to memory of 2772	1648	E245.exe	E245.exe
PID 1648 wrote to memory of 2772	1648	E245.exe	E245.exe
PID 1648 wrote to memory of 2772	1648	E245.exe	E245.exe
PID 1648 wrote to memory of 2772	1648	E245.exe	E245.exe
PID 1648 wrote to memory of 2772	1648	E245.exe	E245.exe
PID 2772 wrote to memory of 2312	2772	E245.exe	icacls.exe
PID 2772 wrote to memory of 2312	2772	E245.exe	icacls.exe
PID 2772 wrote to memory of 2312	2772	E245.exe	icacls.exe
PID 2772 wrote to memory of 2312	2772	E245.exe	icacls.exe
PID 2772 wrote to memory of 2092	2772	E245.exe	E245.exe
PID 2772 wrote to memory of 2092	2772	E245.exe	E245.exe
PID 2772 wrote to memory of 2092	2772	E245.exe	E245.exe
PID 2772 wrote to memory of 2092	2772	E245.exe	E245.exe
PID 2092 wrote to memory of 2052	2092	E245.exe	E245.exe
PID 2092 wrote to memory of 2052	2092	E245.exe	E245.exe
PID 2092 wrote to memory of 2052	2092	E245.exe	E245.exe
PID 2092 wrote to memory of 2052	2092	E245.exe	E245.exe
PID 2092 wrote to memory of 2052	2092	E245.exe	E245.exe
PID 2092 wrote to memory of 2052	2092	E245.exe	E245.exe
PID 2092 wrote to memory of 2052	2092	E245.exe	E245.exe
PID 2092 wrote to memory of 2052	2092	E245.exe	E245.exe
PID 2092 wrote to memory of 2052	2092	E245.exe	E245.exe
PID 2092 wrote to memory of 2052	2092	E245.exe	E245.exe
PID 2092 wrote to memory of 2052	2092	E245.exe	E245.exe
PID 2052 wrote to memory of 1864	2052	E245.exe	build2.exe
PID 2052 wrote to memory of 1864	2052	E245.exe	build2.exe
PID 2052 wrote to memory of 1864	2052	E245.exe	build2.exe
PID 2052 wrote to memory of 1864	2052	E245.exe	build2.exe
PID 1864 wrote to memory of 1148	1864	build2.exe	build2.exe
PID 1864 wrote to memory of 1148	1864	build2.exe	build2.exe
PID 1864 wrote to memory of 1148	1864	build2.exe	build2.exe
PID 1864 wrote to memory of 1148	1864	build2.exe	build2.exe
PID 1864 wrote to memory of 1148	1864	build2.exe	build2.exe
PID 1864 wrote to memory of 1148	1864	build2.exe	build2.exe
PID 1864 wrote to memory of 1148	1864	build2.exe	build2.exe
PID 1864 wrote to memory of 1148	1864	build2.exe	build2.exe
PID 1864 wrote to memory of 1148	1864	build2.exe	build2.exe
PID 1864 wrote to memory of 1148	1864	build2.exe	build2.exe
PID 1864 wrote to memory of 1148	1864	build2.exe	build2.exe
PID 2052 wrote to memory of 2924	2052	E245.exe	build3.exe
PID 2052 wrote to memory of 2924	2052	E245.exe	build3.exe
PID 2052 wrote to memory of 2924	2052	E245.exe	build3.exe
PID 2052 wrote to memory of 2924	2052	E245.exe	build3.exe
PID 2924 wrote to memory of 2400	2924	build3.exe	build3.exe
PID 2924 wrote to memory of 2400	2924	build3.exe	build3.exe
PID 2924 wrote to memory of 2400	2924	build3.exe	build3.exe
PID 2924 wrote to memory of 2400	2924	build3.exe	build3.exe
PID 2924 wrote to memory of 2400	2924	build3.exe	build3.exe
PID 2924 wrote to memory of 2400	2924	build3.exe	build3.exe
PID 2924 wrote to memory of 2400	2924	build3.exe	build3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2872

C:\Users\Admin\AppData\Local\Temp\5E46.exe
C:\Users\Admin\AppData\Local\Temp\5E46.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2664

C:\Users\Admin\AppData\Local\Temp\E245.exe
C:\Users\Admin\AppData\Local\Temp\E245.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\E245.exe
C:\Users\Admin\AppData\Local\Temp\E245.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\E245.exe
"C:\Users\Admin\AppData\Local\Temp\E245.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\E245.exe
"C:\Users\Admin\AppData\Local\Temp\E245.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2052

C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe
"C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build3.exe
"C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build3.exe
"C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build3.exe"
6⤵
- Executes dropped EXE
PID:2400

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\5d615456-f81f-4c8a-8571-aad216b89c80" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2312

C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe
"C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1432
2⤵
- Loads dropped DLL
- Program crash
PID:968

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\taskeng.exe
taskeng.exe {02089679-7578-4837-9EBB-82736132734F} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
PID:2440

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:556

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1192

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
7b0c931c9e5f4ae3b486907b8e65fe09

SHA1
abb761d0fe5318119a8a21204b56840a83c12584

SHA256
d21cfbea4d9bae6d62238f6c73b0c9d2b85ca549cd6c404d013e9f859d1e4fd8

SHA512
2f9a996f02606e5a0c8a288045644b43b45401f1bfd7dcc8593fde95573d77ac83b466af1d3b019f6ae444304f7c564a4685f751a68cb04d8f014d7001409c32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
4a93878372072296478fbb55a38a542f

SHA1
b8d588d92411daecd4d50d42b806394f9b4ad664

SHA256
d6eef722fb6775757ba8b903a1546f5b17a15c55aa47429db570094c1d592cef

SHA512
9be0df07cd5e5206fe99a007b58de8a558698bc7a4fe7b8231ca73bfaafda23be5478a57b0ff384faac27e75dd693548816aac77568de72b57e2523634316e24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
919cd8ca30334bddc24232c92bc059e2

SHA1
7fabe430ed914e25d163ba979dfbea742574b126

SHA256
f5333c2443edc78b6508d04253f7f5b1a6fbe125b5a3f1a5f37faf305a7ea85e

SHA512
2b18aded2e3fa4425a747492f341ebd0d5eac5422ba1f5a0596c78373d12f04d0565aadae24543209344936529c12da3ef8ddaa5d63bb25771224ce276bdf244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3c135eaeac48967cb5be60f316d28111

SHA1
5501e4678671a845e93e03689002bde6905f8903

SHA256
0beade408d65122fcc4bd7feb91432794edeb9131cf387dcd977aa727c996e3c

SHA512
400cb45e850b381e14e278ba47620893f9c64a7aadfa04825930fa7f3c9c5f3a29b7f4aed42f75ba6843b50e94c63bc15dfcfe66b5a90456fb6ef9b5bdad29df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
082bc0fa071aff17a713f7da2fe4a2e0

SHA1
c23c04a607add00199cfcbc5b08835ebae38e0e1

SHA256
3ab7a76f16d9ba1208d7e334b6f8d52f305083f11fa4a3cb48e2d7b68c6356cd

SHA512
746e84cd0281914ef33e70229c18703964b3b67b3c3a0b06b21e26b8a5c7f203553e9980b77506d1381e444b6d1a3a0faa3ef5add6e1a9c2f92ebc955d26d316

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
8b14ae61b4fc37ac5c01cb174aa9f209

SHA1
2d152f054add53341662206c8774364b3821c3d4

SHA256
4aa3d17d58d197d0a2336444e6c431d9483402a86be9061eac2aeb4ec2fa7494

SHA512
4ba68ec0b8a9c0e2e49a34814f6886aa9a0a46e0b850b7c831dff3bda72337c2ee074c5c3130a7e81ba250c8418fb130e6260c41d4ea814a783bf4b1473c1ba6

Download Submit
C:\Users\Admin\AppData\Local\5d615456-f81f-4c8a-8571-aad216b89c80\E245.exe
Filesize
477KB

MD5
e0ec015eb2d8a3ed06a5364c5206dc62

SHA1
4de0b2eef12710195f528657d58df0ef6d56d7f6

SHA256
88877e0bf67b30040f24bc4566bc8b25f778618c7c70519ea2d0e94674b4269b

SHA512
ba066dcb81b5d7502158b5f94244206509eddfb0f35499f81c854ebeac46aa4e74369d999fb37359141888267a9654f04d2a0822428b670aa1f421e3c5336373

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E46.exe
Filesize
230KB

MD5
5696e707bb2de303879e042ba9fb2681

SHA1
d31c6d321bcb949c8067b801f2565a73ad6b38a6

SHA256
212cf81edf3cd280350b9dc6770ac93ecc254c2f54f8066bf37e2725c410389c

SHA512
62eb3db3bc4e1ddc7bd107dec4d103d5f6f6155e073a40627fad43270ba405d421143e492e82765422d02c807c0d3d406a6e21475cf1a6ce7239fb3f27b7e967

Download Submit
C:\Users\Admin\AppData\Local\Temp\E245.exe
Filesize
381KB

MD5
648a103fe0654ada8bddab6a48e039b9

SHA1
3fdbc0605829a0c29101ef0016ac1e2c5583b247

SHA256
883c4a427c97a77faf6b9a13d1c526abdd27c7b1d8e84b22039d98f246208aaf

SHA512
7da8078ebc40cec8aae3e08ca388497d3a0e0f8ab089514ce65f2692dbfe851f00cb98587e9e227b9e2a49195c299e35e07fdddf0576b79ee725a5dd18084c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E245.exe
Filesize
712KB

MD5
be819d3bc999cc0394e23748dbcd904e

SHA1
57abc86e04356e800413912d1ed88cdc31d053b7

SHA256
a44a88124f4a54a24ef3da163c53d2e25fc61b7c8596a4f9aa9ef0e1d9ccc9fd

SHA512
d60d3cc0d73ff8a77e251aa2f6c90437ee1457b690cb4a2d9b20452cda14b9491f76d221578dd9bd9d634a68b4c0d7a23316911a881be23c687e6e9429048c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\E245.exe
Filesize
340KB

MD5
a1efaebac1875107f920131a570acdc9

SHA1
9e946cd1fe1895cff5b3c9bb3aa6922b23f968d3

SHA256
3cc4d898a3e85207383a01ffc7683fd7ad0e6a38e0ecd5546a428fd347f2f8f9

SHA512
1fb827df4aff9c801c6bfe07734be4da9f81c23ef30d64061b3822d86e79f2d02958e58a4e0203f90392ce6f174b57e1922dbe1699bbbb954a42c92f0d9ca163

Download Submit
C:\Users\Admin\AppData\Local\Temp\E245.exe
Filesize
167KB

MD5
0d63fa9b11cb747128b5226ba2bd26bd

SHA1
ae3919487e83132729b633545649192c7d93141e

SHA256
d7618a2bd8a6134bf02707d75f863837805c1dea00269b5189e27e0ac29ffcd4

SHA512
29a355f8cdaf801fe93d8a6acf1ce35f31e2a7a0d6a907c763dbe530546bc81780c2bab53282cec3abd5b1b7dcd28035849a6a4683ad738e2cc50aa3bba87661

Download Submit
C:\Users\Admin\AppData\Local\Temp\E245.exe
Filesize
547KB

MD5
eb3a9339db0eded5eeb7c330bff503b8

SHA1
c891d8da5c11f25ed48a6bfd343f10a7bb47f39e

SHA256
cf8f48dfb4790eb20a4b198c4d55417083584f0a5884d3c9caaf4956eab99b34

SHA512
2facb2f8918e5d70ff6157348c6f22187e52baed1a4ed3dbc2a9348deaaf38737da141ec54fc49dacd1b3e391b8c0499787a47fb2b19e8c0e0b670ade6280bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E245.exe
Filesize
275KB

MD5
355db67cde44b37ec416fdadeff8374e

SHA1
ed66fbe3c5af1f6feb56a8c0c641a212e2c7177c

SHA256
d2048e23d38612577aa2be7c2676d792cd750625c2da395e2617c8cbb1c27cf8

SHA512
af85fe9a5af0e74d7ec3f8a6e1d51ae1d1752ee49c4252a5c281fd3428225ded5bd02b75e474e8d119f0c735a99055fac25ec703faa82bd57bf625f7ee32228f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarECA1.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe
Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe
Filesize
283KB

MD5
c1f68d83c704d9b4288d719719c3aea7

SHA1
6039745f1524108cefbf51388547e6a832d22031

SHA256
b07a84a191a23a2f77df908e1f768d482f9f5e6b8973b08d824506335ee0dd2d

SHA512
6b4615e3e72cb85218e5417478b5b36e27905a1562a37c01ec40dbdc9bd739442c3413ce6bbf80df3aa5a732b91fb32bfe190d8bd46780269586101925716ede

Download Submit
C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe
Filesize
236KB

MD5
2f0909aa5fbc61ab248f829fe0eb7e79

SHA1
85d7e3222887584897297fd95b50d8af4fec5607

SHA256
5a190635eb2fb943df20604f0bc3f32ece13fd4ed2178c2578fb84f42554b319

SHA512
358a2425aed4b0f1222be5e90a184f96c36e5b18c2e65bd53b644795aa5203401ae13668fd03ec7db500190b3120ee5b0b8d630aed5b357c7d3b115289f34d8c

Download Submit
C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe
Filesize
214KB

MD5
4d36cc3f352d249e3bcd545394d755e2

SHA1
c586487ebbab1b373c5c515d06b20b8ce688148a

SHA256
abcad8d648d9d9e0d75c78aa053b3e74391b0e5041fe855503c8ee5731891a94

SHA512
ea73a05b0efcde0e05e073e375da032c74c310fd47b5712e656b2b3db8bff6a32fa4b44ad2528c79579cb6e6ee13065304a4071dcf4c338e0b455401cd1edc09

Download Submit
C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build3.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build3.exe
Filesize
45KB

MD5
cd1daefbe2f3399fdaa07d200486e143

SHA1
da202756c0510fbdc3b14db31dfcbf9b1a53cf79

SHA256
1c60cba4195bc69193d78278556c9206228ce900537c18215ea95ebab831eed4

SHA512
2ea8352e339d649347370c35081295ebf7ba5f9127d86448a5532470bd5250f43748ba1e09cbe0f13b7f73c61f1a043bb6c0986688be4fca7501aee845abdac2

Download Submit
C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build3.exe
Filesize
164KB

MD5
b974083489435b968da84ee8ce6c7cf3

SHA1
5decceb5e1b72a25f5eef5b6965e7a782367423f

SHA256
ce4151d4d518d85d280029e29710aeabac4a0516fbd3598544a4a8d4438ad8a6

SHA512
2c3c288f96964c9d4df2edca70b85efbdefd0511565416649fff97b88430b30de0b474971f5a08f9ad8edfd3ed9b02286794c6cc02acbcc6e3ba558c02dac797

Download Submit
C:\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build3.exe
Filesize
124KB

MD5
3a62cdce94643fffcc7a9f12d9f6c2fb

SHA1
1d64bfd3397f4b031f733b62d6530c7b6bf96d0e

SHA256
fb2ead649110028a8d24ca81531573facef2be83f67e77960750c45861702794

SHA512
3c63bc3db09e6027030ee2c1cd175af180fd13a3959bea1f1c471774f0650d1198878e12d26a27dfa5749a80b12d09789b210c27d32e3514be0e05a7fe4c3767

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
88KB

MD5
7d86c08f7976237389eb2eb22b279fa8

SHA1
ee262394b95484c9e398feb33d4990dd19fded21

SHA256
b240059bded24771d813b7cd756218bdef0ce2b7e52e585393026aaac704f006

SHA512
d6b40fd19f3cd8004176ea81003449c07814991f57510b7d707588ee4f1dfbc38ca3b5ed5574cece63b438dc1f6958b7c37fe43fcd73eefd3ca852190dfce99c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
\Users\Admin\AppData\Local\Temp\E245.exe
Filesize
351KB

MD5
67ff1f9675343561404eed12fab27b6c

SHA1
e321c96d990a1818e9e09066576fc67202fc674c

SHA256
3c7eac46ea4f06041e03af7742c2488ff51cf3bec851a25c937b60701a337c4d

SHA512
66d2947073a28454fe78b1db3d2e2c8d11a6452511c03648f8d10d45ad5696b73b09effd885320ecb0696a616f641af0887084aff93cd070b0dcd121beae2834

Download Submit
\Users\Admin\AppData\Local\Temp\E245.exe
Filesize
362KB

MD5
2a7a2c2deac29a809bc356d8f41e2336

SHA1
1a379e9cf00895627ed56885d4115ed3c5669308

SHA256
ff523f22448b7d9426547111442fb4d47ac533351c25cd45c3c7210d1afa437d

SHA512
70127ab3b20b32a7454bcd9dfb3f822c31d899d8e5898b3a8e381acdb6bc6c826458876d3d2ce417b6a250e6e21b100c8895347398fee9ecfc107f76f8718e3d

Download Submit
\Users\Admin\AppData\Local\Temp\E245.exe
Filesize
491KB

MD5
690f9e4477e329de3e3c07b35097f94c

SHA1
2fcbade5e041dfb474f183079ec6159ea6f15710

SHA256
8e3be1068d0f3ace2d6562b5feb9d2ed60ea90cc11b3f1d363b1b0b48d9aa961

SHA512
ca91e319f2fa2800174abc666a783dd1939c65db1f62e185aad7e9f08a626a2d513b6815af367a645a6db97b913e7e7cf5d401ee63fe2837a4fad2579903eaba

Download Submit
\Users\Admin\AppData\Local\Temp\E245.exe
Filesize
242KB

MD5
fb17b50a8573884ed07330285cf2fbc5

SHA1
986384ae4eaf552fc6db259ca57e075c66ec5bca

SHA256
172a8f0778e89551f9690d2e6ff6a1cfb5065318d6d15349f707aa35f3ce3879

SHA512
39642d86b76f84c0beae673449cb76834e0e096743b45f58365cc8a9c85657d266656575f40a6b10291437226984cca9174aef951864cefa132c7f6ef376c57f

Download Submit
\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe
Filesize
304KB

MD5
df4216b20586227d0865d994567cbf8e

SHA1
a763010cfd066e0e093fffe92bb1373608d78f89

SHA256
cd337bbe7098f7b5e4ccaf0acbd45c57ee170c5bc4ae0d13b34051f1ff85eb07

SHA512
dfbbb89e410fcafb69e75f309d773f5df6732a8378537e34d5cdc7cebe91c268037933b5166f5eb308352bc472804c6cd2c0796e43a39caa26de99699ed809e9

Download Submit
\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe
Filesize
96KB

MD5
5c443434ba005ed68ce1247d031b2779

SHA1
07ee3a70591652c08839bc7644b3df7c051bc7ae

SHA256
9ef75fc0eeea8c1569fef44501f6ca4d8c4932b3e3299863e6005756a49e9a42

SHA512
cbec61c1d39219554ef173ac588e74ac3324c2ae1930fb9f41946dfe182ef68450b6a2bddc5bcf4aafd4ccaa84353eeb2e032e2b7ad0fee19e5dc09c6f9fe302

Download Submit
\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe
Filesize
134KB

MD5
00f4c2fbc5e052f4f9c4b2b34f8fb5d6

SHA1
b71ab0b8ec390a90eced316d4bd1c1f48e23e901

SHA256
caf15021103d7056afde9179061e97353a1aa37baddcb81301c863234652fdc0

SHA512
e57076e7202642f0df7af9914597608e0bcd2e1ef7faf94c1790660e97309beab84c7100e3c872964d37bafa516592d307d24de7e020942f08624961d14a1b9a

Download Submit
\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe
Filesize
122KB

MD5
53dd0616013ad4402500f13073150194

SHA1
2b8c5c641e7fc5da1b8abc33e0fcbcd12a2ca5ef

SHA256
fdb79e65ce6a6c2754fa8c15688c6828ce475b071878bfb23e9e0718f8bfd7ca

SHA512
81b0d84a7247be0a10eea7ae05cde1f7951aa75bf6faf5655245524a2b5b2823b9a6f900401eb42c67faf00c1200147950cb94c68ca2a9633d3683497850f5de

Download Submit
\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe
Filesize
140KB

MD5
1c7606ee8df7779a54741770e2f5ea96

SHA1
e8be60babf8cbf49849119209209b5c8d2b3c03b

SHA256
db8e251e93824be1e231cde5c4bba335047e7803ab478ef9531f9e5175b7ebd9

SHA512
1b3253cc38dfbfe13cbc088531aed82e629645995f9eb0b3ef97e2ebcd9a3b34f5b033abb0be97e7e6afb5e3efe2ff8a0b4e571639998cbd592a8f05cfa2c487

Download Submit
\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe
Filesize
80KB

MD5
9b22de87b58d2c9fac6c2b6cadf9934e

SHA1
22c7f00ec7d1fe20eab264c496e78f159ff9f5bd

SHA256
179abaea763d1422825af080820a5ad71217e87e527d455cb5b74e168379d89e

SHA512
6278106a36cd39ccace17c80f4e8506cc5e75fe661412b628e5166aeeea89572135d8d4075d2a3a8b6d940920537fcf8caa1e4a317d1f4f7b22a791e01b3beb3

Download Submit
\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe
Filesize
162KB

MD5
4ff0d86c996fba395ca9fd9233ea4c70

SHA1
5c784f19a5d0b35919d358a020374462c048dcd7

SHA256
5143a92e7d1c2b0b2f4548c3cc77f0564905b8985de2870c6f45749273eeab17

SHA512
8ebe4bd9ba11f2220ec39c4cf521d31445bbc60bcc0b932b6315a9f62a7404fe79c0081aeb03b92385c211b4fe423598326852957f79b9fea3079cec7d5f4b4b

Download Submit
\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build2.exe
Filesize
45KB

MD5
dcceebec97dd6ae117945f23eab2470f

SHA1
e855d3a02f307e47d6e161f034750d818eb4aa5b

SHA256
1c5eb663482dff546241439bb61b4a182aae235801b72d58f4a8becc28224fb6

SHA512
93d2481665c6e17853bd51f2136f770062d8037886de8390f0fba32f963cc3dc4879afbd3c96345c9ab60f866a9220e624c7a7b4a4ac66648e6bab86f3b5571e

Download Submit
\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build3.exe
Filesize
35KB

MD5
aef5e09f2c4590e059a90627b51f707a

SHA1
3b83e862f5a8aef24a1a2e435e047988a338ca6c

SHA256
dea7a0914cf2d6d8c5aa954dcb48bc534253cba9b88f76e600dc095b31ee748e

SHA512
b0ac7f3f79b7db0a0c171fb97c0efeb11080a5ca63b12f54e2d8ed40dbd1d60f49f1955964eb4cd5a460423bf8044f1fb3ff87ce2394fc0d04017b07c9ad9582

Download Submit
\Users\Admin\AppData\Local\f2532369-bf3e-4ff1-87ed-99e9a460c280\build3.exe
Filesize
58KB

MD5
66df22bfce5fae5c658dd3338a25ff34

SHA1
e7dd7d976907933c3b26f555d64fa50e3ea91371

SHA256
43cde8569a8b1b0678cc9b1f802f2126848e68a8448d59ba85fb20bb7d2de368

SHA512
40cd5d2e0d4d870f5fb85bcaaf5a55cfc7e5d24fb566dd90febd87c6eabf91be19eb56d781ef651732421878a2bc6451917c05190450bc44d09294c458a3baef

Download Submit
memory/556-304-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/1148-291-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1148-140-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1148-133-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1148-137-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1148-141-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1404-4-0x0000000002930000-0x0000000002946000-memory.dmp

Filesize
88KB

Download
memory/1404-20-0x0000000003E40000-0x0000000003E56000-memory.dmp

Filesize
88KB

Download
memory/1648-35-0x0000000001D60000-0x0000000001E7B000-memory.dmp

Filesize
1.1MB

Download
memory/1648-41-0x0000000000340000-0x00000000003D2000-memory.dmp

Filesize
584KB

Download
memory/1648-32-0x0000000000340000-0x00000000003D2000-memory.dmp

Filesize
584KB

Download
memory/1648-31-0x0000000000340000-0x00000000003D2000-memory.dmp

Filesize
584KB

Download
memory/1864-136-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1864-134-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2052-92-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2052-116-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2052-93-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2052-114-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2052-110-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2052-118-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2052-231-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2052-109-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2052-117-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2092-84-0x0000000001CC0000-0x0000000001D52000-memory.dmp

Filesize
584KB

Download
memory/2092-91-0x0000000001CC0000-0x0000000001D52000-memory.dmp

Filesize
584KB

Download
memory/2400-282-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/2400-274-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2400-281-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2400-279-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2664-21-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2664-18-0x0000000000890000-0x0000000000990000-memory.dmp

Filesize
1024KB

Download
memory/2664-19-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2772-42-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2772-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2772-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2772-82-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2772-38-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2872-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2872-5-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2872-3-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2872-1-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2924-278-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2924-277-0x00000000008E2000-0x00000000008F3000-memory.dmp

Filesize
68KB

Download