asyncrat | b4409e0577f703425e8e4b4412a8c6e0151a8f35d6733339be2055bec257f5bf

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exe
Size

232KB
MD5

2c474a834185c1b3d4e58a390d3ad5c0
SHA1

a682acd5e698a74136b58395bf327247fdfd55f7
SHA256

1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e
SHA512

62a11db47522753a0506cb8a4ce074a49c1cd3fca5ce26a9407450d1e11373c92bd5765c3a85b23979b82cdd2c786a23ff5f912447619b410b9347e4ad1f9724
SSDEEP

3072:IJ+Uxkz08IhV4CxGoCO8fWgzOOKpBxUHGgqYZrbfCXMgS568tZJB:USIhVwefOOQMlE

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.ldhy
offline_id
pIGzEr0bxHiTz7xnvNidWeqzKkxMfVdHTyCkzwt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-hPAqznkJKD Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0849ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.7

Botnet

655507914130aa0fe72362726c206a7c

https://t.me/newagev

https://steamcommunity.com/profiles/76561199631487327

Attributes

profile_id_v2
655507914130aa0fe72362726c206a7c

Extracted

Family

redline

Botnet

Exodus

93.123.39.68:1334

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

93.123.39.68:4449

Mutex

kszghixltbdczq

Attributes

delay
1
install
true
install_file
chromeupdate.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

DcRat 5 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exeB0AA.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7131b9bc-24e3-40c0-bbd5-3c2419225835\\B0AA.exe\" --AutoStart"	B0AA.exe
2592	schtasks.exe
2904	schtasks.exe
2180	schtasks.exe

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/828-113-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/1708-112-0x0000000000230000-0x0000000000261000-memory.dmp	family_vidar_v7
behavioral1/memory/828-116-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/828-117-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/828-272-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2628-34-0x00000000004D0000-0x00000000005EB000-memory.dmp	family_djvu
behavioral1/memory/2644-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2644-40-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2644-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2644-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-72-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-73-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-86-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-87-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-91-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-93-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-94-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-107-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-195-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\54A9.exe	family_redline
behavioral1/memory/1656-306-0x0000000000F60000-0x0000000000F7E000-memory.dmp	family_redline
behavioral1/memory/2256-455-0x0000000000B90000-0x0000000000BAE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\54A9.exe	family_sectoprat
behavioral1/memory/1656-306-0x0000000000F60000-0x0000000000F7E000-memory.dmp	family_sectoprat
behavioral1/memory/2256-455-0x0000000000B90000-0x0000000000BAE000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\adasda.exe	family_asyncrat

Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

1256

pid	process
1256

Executes dropped EXE 16 IoCs

Processes:

9A6B.exeB0AA.exeB0AA.exeB0AA.exeB0AA.exebuild2.exebuild2.exebuild3.exebuild3.exe4397.exe54A9.exeadasda.exeasdjijjjjj.exechromeupdate.exemstsca.exemstsca.exe

pid	process
2692	9A6B.exe
2628	B0AA.exe
2644	B0AA.exe
268	B0AA.exe
1644	B0AA.exe
1708	build2.exe
828	build2.exe
1940	build3.exe
2976	build3.exe
2148	4397.exe
1656	54A9.exe
2096	adasda.exe
2256	asdjijjjjj.exe
344	chromeupdate.exe
992	mstsca.exe
1700	mstsca.exe

Loads dropped DLL 22 IoCs

Processes:

B0AA.exeB0AA.exeB0AA.exeB0AA.exeWerFault.exe54A9.exeWerFault.exe

pid	process
2628	B0AA.exe
2644	B0AA.exe
2644	B0AA.exe
268	B0AA.exe
1644	B0AA.exe
1644	B0AA.exe
1644	B0AA.exe
1644	B0AA.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
1656	54A9.exe
1656	54A9.exe
1856	WerFault.exe
1856	WerFault.exe
1856	WerFault.exe
1856	WerFault.exe
1856	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

324 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
324	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

B0AA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7131b9bc-24e3-40c0-bbd5-3c2419225835\\B0AA.exe\" --AutoStart"	B0AA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 api.2ip.ua
26 api.2ip.ua
42 api.2ip.ua

flow	ioc
25	api.2ip.ua
26	api.2ip.ua
42	api.2ip.ua

Suspicious use of SetThreadContext 5 IoCs

Processes:

B0AA.exeB0AA.exebuild2.exebuild3.exemstsca.exe

description	pid	process	target process
PID 2628 set thread context of 2644	2628	B0AA.exe	B0AA.exe
PID 268 set thread context of 1644	268	B0AA.exe	B0AA.exe
PID 1708 set thread context of 828	1708	build2.exe	build2.exe
PID 1940 set thread context of 2976	1940	build3.exe	build3.exe
PID 992 set thread context of 1700	992	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2392 828 WerFault.exe build2.exe
1856 2148 WerFault.exe 4397.exe

pid	pid_target	process	target process
2392	828	WerFault.exe	build2.exe
1856	2148	WerFault.exe	4397.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exe9A6B.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9A6B.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9A6B.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9A6B.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2592 schtasks.exe
2904 schtasks.exe
2180 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2888 timeout.exe

pid	process
2592	schtasks.exe
2904	schtasks.exe
2180	schtasks.exe

pid	process
2888	timeout.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

asdjijjjjj.exebuild2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	asdjijjjjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	asdjijjjjj.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	asdjijjjjj.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	asdjijjjjj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exe

pid	process
2668	1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exe
2668	1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exe9A6B.exe

pid process

2668 1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exe
2692 9A6B.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

54A9.exeasdjijjjjj.exeadasda.exechromeupdate.exe

description	pid	process
Token: SeShutdownPrivilege	1256
Token: SeShutdownPrivilege	1256
Token: SeShutdownPrivilege	1256
Token: SeDebugPrivilege	1656	54A9.exe
Token: SeShutdownPrivilege	1256
Token: SeShutdownPrivilege	1256
Token: SeDebugPrivilege	2256	asdjijjjjj.exe
Token: SeDebugPrivilege	2096	adasda.exe
Token: SeShutdownPrivilege	1256
Token: SeDebugPrivilege	344	chromeupdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

chromeupdate.exe

pid process

344 chromeupdate.exe

pid	process
344	chromeupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

B0AA.exeB0AA.exeB0AA.exeB0AA.exebuild2.exebuild2.exebuild3.exe

description	pid	process	target process
PID 1256 wrote to memory of 2692	1256		9A6B.exe
PID 1256 wrote to memory of 2692	1256		9A6B.exe
PID 1256 wrote to memory of 2692	1256		9A6B.exe
PID 1256 wrote to memory of 2692	1256		9A6B.exe
PID 1256 wrote to memory of 2628	1256		B0AA.exe
PID 1256 wrote to memory of 2628	1256		B0AA.exe
PID 1256 wrote to memory of 2628	1256		B0AA.exe
PID 1256 wrote to memory of 2628	1256		B0AA.exe
PID 2628 wrote to memory of 2644	2628	B0AA.exe	B0AA.exe
PID 2628 wrote to memory of 2644	2628	B0AA.exe	B0AA.exe
PID 2628 wrote to memory of 2644	2628	B0AA.exe	B0AA.exe
PID 2628 wrote to memory of 2644	2628	B0AA.exe	B0AA.exe
PID 2628 wrote to memory of 2644	2628	B0AA.exe	B0AA.exe
PID 2628 wrote to memory of 2644	2628	B0AA.exe	B0AA.exe
PID 2628 wrote to memory of 2644	2628	B0AA.exe	B0AA.exe
PID 2628 wrote to memory of 2644	2628	B0AA.exe	B0AA.exe
PID 2628 wrote to memory of 2644	2628	B0AA.exe	B0AA.exe
PID 2628 wrote to memory of 2644	2628	B0AA.exe	B0AA.exe
PID 2628 wrote to memory of 2644	2628	B0AA.exe	B0AA.exe
PID 2644 wrote to memory of 324	2644	B0AA.exe	icacls.exe
PID 2644 wrote to memory of 324	2644	B0AA.exe	icacls.exe
PID 2644 wrote to memory of 324	2644	B0AA.exe	icacls.exe
PID 2644 wrote to memory of 324	2644	B0AA.exe	icacls.exe
PID 2644 wrote to memory of 268	2644	B0AA.exe	B0AA.exe
PID 2644 wrote to memory of 268	2644	B0AA.exe	B0AA.exe
PID 2644 wrote to memory of 268	2644	B0AA.exe	B0AA.exe
PID 2644 wrote to memory of 268	2644	B0AA.exe	B0AA.exe
PID 268 wrote to memory of 1644	268	B0AA.exe	B0AA.exe
PID 268 wrote to memory of 1644	268	B0AA.exe	B0AA.exe
PID 268 wrote to memory of 1644	268	B0AA.exe	B0AA.exe
PID 268 wrote to memory of 1644	268	B0AA.exe	B0AA.exe
PID 268 wrote to memory of 1644	268	B0AA.exe	B0AA.exe
PID 268 wrote to memory of 1644	268	B0AA.exe	B0AA.exe
PID 268 wrote to memory of 1644	268	B0AA.exe	B0AA.exe
PID 268 wrote to memory of 1644	268	B0AA.exe	B0AA.exe
PID 268 wrote to memory of 1644	268	B0AA.exe	B0AA.exe
PID 268 wrote to memory of 1644	268	B0AA.exe	B0AA.exe
PID 268 wrote to memory of 1644	268	B0AA.exe	B0AA.exe
PID 1644 wrote to memory of 1708	1644	B0AA.exe	build2.exe
PID 1644 wrote to memory of 1708	1644	B0AA.exe	build2.exe
PID 1644 wrote to memory of 1708	1644	B0AA.exe	build2.exe
PID 1644 wrote to memory of 1708	1644	B0AA.exe	build2.exe
PID 1708 wrote to memory of 828	1708	build2.exe	build2.exe
PID 1708 wrote to memory of 828	1708	build2.exe	build2.exe
PID 1708 wrote to memory of 828	1708	build2.exe	build2.exe
PID 1708 wrote to memory of 828	1708	build2.exe	build2.exe
PID 1708 wrote to memory of 828	1708	build2.exe	build2.exe
PID 1708 wrote to memory of 828	1708	build2.exe	build2.exe
PID 1708 wrote to memory of 828	1708	build2.exe	build2.exe
PID 1708 wrote to memory of 828	1708	build2.exe	build2.exe
PID 1708 wrote to memory of 828	1708	build2.exe	build2.exe
PID 1708 wrote to memory of 828	1708	build2.exe	build2.exe
PID 1708 wrote to memory of 828	1708	build2.exe	build2.exe
PID 1644 wrote to memory of 1940	1644	B0AA.exe	build3.exe
PID 1644 wrote to memory of 1940	1644	B0AA.exe	build3.exe
PID 1644 wrote to memory of 1940	1644	B0AA.exe	build3.exe
PID 1644 wrote to memory of 1940	1644	B0AA.exe	build3.exe
PID 828 wrote to memory of 2392	828	build2.exe	WerFault.exe
PID 828 wrote to memory of 2392	828	build2.exe	WerFault.exe
PID 828 wrote to memory of 2392	828	build2.exe	WerFault.exe
PID 828 wrote to memory of 2392	828	build2.exe	WerFault.exe
PID 1940 wrote to memory of 2976	1940	build3.exe	build3.exe
PID 1940 wrote to memory of 2976	1940	build3.exe	build3.exe
PID 1940 wrote to memory of 2976	1940	build3.exe	build3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exe
"C:\Users\Admin\AppData\Local\Temp\1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2668

C:\Users\Admin\AppData\Local\Temp\9A6B.exe
C:\Users\Admin\AppData\Local\Temp\9A6B.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2692

C:\Users\Admin\AppData\Local\Temp\B0AA.exe
C:\Users\Admin\AppData\Local\Temp\B0AA.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\B0AA.exe
C:\Users\Admin\AppData\Local\Temp\B0AA.exe
2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\7131b9bc-24e3-40c0-bbd5-3c2419225835" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:324

C:\Users\Admin\AppData\Local\Temp\B0AA.exe
"C:\Users\Admin\AppData\Local\Temp\B0AA.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Admin\AppData\Local\Temp\B0AA.exe
"C:\Users\Admin\AppData\Local\Temp\B0AA.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\4b6b566c-2e75-476f-9043-2ca619f5cc3a\build2.exe
"C:\Users\Admin\AppData\Local\4b6b566c-2e75-476f-9043-2ca619f5cc3a\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\4b6b566c-2e75-476f-9043-2ca619f5cc3a\build2.exe
"C:\Users\Admin\AppData\Local\4b6b566c-2e75-476f-9043-2ca619f5cc3a\build2.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 1440
7⤵
- Loads dropped DLL
- Program crash
PID:2392

C:\Users\Admin\AppData\Local\4b6b566c-2e75-476f-9043-2ca619f5cc3a\build3.exe
"C:\Users\Admin\AppData\Local\4b6b566c-2e75-476f-9043-2ca619f5cc3a\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\4b6b566c-2e75-476f-9043-2ca619f5cc3a\build3.exe
"C:\Users\Admin\AppData\Local\4b6b566c-2e75-476f-9043-2ca619f5cc3a\build3.exe"
6⤵
- Executes dropped EXE
PID:2976

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- DcRat
- Creates scheduled task(s)
PID:2592

C:\Users\Admin\AppData\Local\Temp\4397.exe
C:\Users\Admin\AppData\Local\Temp\4397.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 96
2⤵
- Loads dropped DLL
- Program crash
PID:1856

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4D0A.bat" "
1⤵
PID:1856

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\54A9.exe
C:\Users\Admin\AppData\Local\Temp\54A9.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\adasda.exe
"C:\Users\Admin\AppData\Local\Temp\adasda.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"' & exit
3⤵
PID:2884

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"'
4⤵
- DcRat
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp97CD.tmp.bat""
3⤵
PID:3004

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2888

C:\Users\Admin\AppData\Roaming\chromeupdate.exe
"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:344

C:\Users\Admin\AppData\Local\Temp\asdjijjjjj.exe
"C:\Users\Admin\AppData\Local\Temp\asdjijjjjj.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\taskeng.exe
taskeng.exe {A183AD5F-C3DB-47CE-8FF0-1FEEC2488157} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
1⤵
PID:1820

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:992

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1700

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- DcRat
- Creates scheduled task(s)
PID:2180

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
71ae54e638d90bb900e726c50e673536

SHA1
dd3f0ddc106036845e378f916bffa0837935bd1b

SHA256
469625e4977eeb3bafa8cd4ab692670bd35ea4236b7592941772b3adc915c425

SHA512
12f736e40f2139e85783ac9f2af5f506286217f3605e15a17fc89eb03517aa333f5ba1e799b0dacb31b0a3538815d5a747173f13e684d2446881fe2eabb0bff2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
5551225bb21755d41cfdc3a32b6ba270

SHA1
1688d96b08d6028efe67d5061fd70ddb81206ece

SHA256
ab881465c044394eb15e26f5add51f6efb6bd3f73ab68d63cb52ea54bb71c47f

SHA512
bdfb74d39b43eca70a66efc977c96382098a647e5df86fa6da567202164ac7870bcdca01055c151600f0fd15cd7893ecb1975b1e3e3da2e9efa177720dc2af58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ce286c14b2c0e48b8733259e9bfc8561

SHA1
daf7fdfe5bc56915829efec1eb16ff2bc20e2573

SHA256
a599ac11eb6481c259f856ceb26181d6e90f8da912d0579e555ab9bf4a33c652

SHA512
2a9d660e0462621a365014051c45b4877b15a9ec136cd42d4ae9db3f30f776283b62a7c54c4b3aac0090c0b32c38cb8558678aaead5c2ba31d960df7d58734c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9a020960924fbc524113ef4b62a9f8e1

SHA1
d385bfde2c334c0fc1d8fa15a95c5ca0a5a9564e

SHA256
3f57815ad09767218860b174163de633cde014e0b410f1b284a6ef33315994f7

SHA512
717d9eedc6c4858ffdd60fd65cc6d2ddc3e671389e201a3324b0b72f1d41f9976464df1f908cd72c98b3952b26f9083997f71f35acab8d70f5b5c5788c525214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
27e526f9d6945a75ad6b3ff3d4e25083

SHA1
7de251ec0399772afd48c0981240aad6321ad373

SHA256
7038ffa562347d3e7936365f4ca32d2f946595d8d67c714f3c94244e7c8b0110

SHA512
0dd07303e79ddf924d832d3860381741eaba39b9cb94ad3e3981bac22a651e549db8fc11c6641ccfc34dff33dc787a03919d0f86582621fe0c135c30317b27f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4397.exe
Filesize
6.3MB

MD5
b1e8d4d7dd26612c17eccbf66b280e7c

SHA1
97dd5e81a4014fb54ef5ac3f1db88519843c85c2

SHA256
e3940372b04a4cb2177ae409c195debccfe004600d73a39d429a577d248d4cb2

SHA512
ff70dd3103128cd36bd1da3a734e635ec76d53a5629fc1f05941d6cadb9e82310da0ea298dcf449ef17c42a70ea7d787a75585ffa37a74f9007ca91a4481ecc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D0A.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\54A9.exe
Filesize
95KB

MD5
57935225dcb95b6ed9894d5d5e8b46a8

SHA1
1daf36a8db0b79be94a41d27183e4904a1340990

SHA256
79d7b0f170471f44ed6c07ddb4c4c9bb20c97235aef23ac052e692cb558a156d

SHA512
1b6362bdb7f6b177773357f5fe8e7d7ee44716fd8e63e663e446f4e204af581491d05345c12cd9cca91fd249383817da21ef2241011cdc251b7e299560ea48c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A6B.exe
Filesize
229KB

MD5
d10ceb31dff3ca0c51709fa32cfa078e

SHA1
6c07a177d886c49d96aa47ae19a6672120592c8c

SHA256
f6ccdda55b0298c9cd9c5dedd9a929bd370e6855edbf6cb0e66b4d9af610d139

SHA512
82118dbb5fdfb5e19e2db72774d5a6e86d5a1a238eac93072ccc9ecdaa6755e6ae51082ffaa9e49aed882f95719bb41c5472149d2beff0cb43902e52c5415f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0AA.exe
Filesize
728KB

MD5
762ba1aff6bacca1f01a4bd8c6af3258

SHA1
2a0584ca791c25b7c0ef610f4e6a84b7a967cbf5

SHA256
02164a26984198d45d80ec8a7b86b33395fa4305c2431f9320df7af7ed61a631

SHA512
742ad8520f2f7b077139056c1651c62c046805f97c7a82d82e9b0cf8c4445745ca631ee3724ad5272c0cede6818be8293f2b0c3dc1ca13e8d88c8b23a54a2333

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBFF5.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDEFB.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\adasda.exe
Filesize
73KB

MD5
25b6389bbaa746df85d53714d4a6d477

SHA1
86e6443e902f180f32fb434e06ecf45d484582e3

SHA256
4b02692bf468a164e333bbfc961c5974d0a95009a72ea8bff2e9cb677eae4f56

SHA512
6ad22c119b548f0e8ed5adb6c9f48c33b356340a7309c8185bec817f2562ae99760ff79e131c89bce2be122b6385bee610704f37edb7f1656a1b9d4782a1fcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp77F8.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp780D.tmp
Filesize
92KB

MD5
1f41b636612a51a6b6a30216ebdd03d8

SHA1
cea0aba5d98bed1a238006a598214637e1837f3b

SHA256
34e9cb63f4457035e2112ba72a9ea952b990947c9dc8fb7303f4d25735f2c81c

SHA512
05377e24e0077208a09550b7a35a14c3f96d14013aadee71f377450cb3a13ea70a2b85f6af201e1c9502fc1c33e243b1de09de60313fb5be61bc12f6efe57ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp97CD.tmp.bat
Filesize
156B

MD5
ae6240e9940c37874a726eca0056bf57

SHA1
5ae84d9225fa9483f8d4f0316f97a3c329552a93

SHA256
75a7cdfde83c861a7c8613ccc408048d714519192053eaabc5a3d83ff82deeaa

SHA512
312114b0d19d45fcbaad8a48a007ef1b28e3351d4fddee271e4db7936012159c803c120b578e8184429bebf67934409b8dbee934856d261e855a95b43c61e81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA07.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
\Users\Admin\AppData\Local\4b6b566c-2e75-476f-9043-2ca619f5cc3a\build2.exe
Filesize
332KB

MD5
a0cc1241aa4803dc23ff778af73e3768

SHA1
75d07c8f1784e8e64e7520c2666bc63c2a477ffa

SHA256
c0b12bbdcb41f6941d4356309fd8a43f61cbfd18eee044ff1771cbdbba248466

SHA512
3ccb46eca07827f5c86b31da5f7ab1b4a4b80f0cf3c1f8245c9ea57cf7c2244bc5f867a09696ce1c80cce38c631c7f6a13dca537b8e4b297735324f52cabb755

Download Submit
\Users\Admin\AppData\Local\4b6b566c-2e75-476f-9043-2ca619f5cc3a\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
\Users\Admin\AppData\Local\Temp\4397.exe
Filesize
384KB

MD5
810fc21bce01f94d3bf8cd02fe9ccf02

SHA1
4809b5c82739d830c0121f75441bcc7e5e4ced4f

SHA256
ffdb39c3febed9d88171adfbada8a4d2c72ef57a8ef3738e938cc434af010ecd

SHA512
5b07fcfa8ca3a7e97b2a143a86ba47ea126e7ef41ab97bb99ecc682c9dd93d132661c30d685bf2f5d2470126da841d76e190bcc01e8437f30f02b04227df64d9

Download Submit
\Users\Admin\AppData\Local\Temp\4397.exe
Filesize
448KB

MD5
d863bdca62d3ad7d65f783dc4e00b6d3

SHA1
f84b04fc6f0dd9f2b7f0b36328ea538be846b872

SHA256
f19bcc449ed64e7d8db632513611028d4a5f05fbbd38c27de699b932f5060657

SHA512
99b3f8c0a765fc2886db8852835f8f7e8d4f88d6f294a12638c84bdac61787a55f3a5b538224b4edc892ae7e4f0a18f5ac11bb9007944e180117480b54fb0249

Download Submit
\Users\Admin\AppData\Local\Temp\4397.exe
Filesize
512KB

MD5
e69bdd7a06f16a09d60610145a44ce78

SHA1
392011802bf6262ec395641b24a23b212660ab91

SHA256
6fc50a3fd6b2c9a981dbc185960b4a3eae0973088341f24f976491532e751694

SHA512
81792c935f279dfbad50a76c11844075d8ed508aeb97f0f686d5771a83bf0f50c42719ed158e88c007a970f472945b2107ed6ad2674c55929b9212419cb07ac8

Download Submit
\Users\Admin\AppData\Local\Temp\4397.exe
Filesize
4.7MB

MD5
12602af7e21f7a52bb45ab86f2d3cecc

SHA1
18ce9078605615217b8637a9cf75d8ec212f349b

SHA256
752d52f90e3cf00830b2d9db620aa207f4b852212dfb825e9ffb0c94f2357ecf

SHA512
426a1333563703f9aed0e0835ab9a77fa61bccbb3f1ddf96e2c3fccbf4d11190f223aa1d2f1fc84e75d0278de498f56d527bf700351d64951c1f070aa61f11be

Download Submit
memory/268-65-0x0000000000730000-0x00000000007C2000-memory.dmp

Filesize
584KB

Download
memory/268-63-0x0000000000730000-0x00000000007C2000-memory.dmp

Filesize
584KB

Download
memory/344-625-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/344-515-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/344-626-0x000000001AFB0000-0x000000001B030000-memory.dmp

Filesize
512KB

Download
memory/344-518-0x000000001AFB0000-0x000000001B030000-memory.dmp

Filesize
512KB

Download
memory/344-516-0x0000000000050000-0x0000000000068000-memory.dmp

Filesize
96KB

Download
memory/344-610-0x0000000077050000-0x00000000771F9000-memory.dmp

Filesize
1.7MB

Download
memory/344-629-0x0000000077050000-0x00000000771F9000-memory.dmp

Filesize
1.7MB

Download
memory/828-272-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/828-113-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/828-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/828-116-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/828-117-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/992-620-0x00000000008A0000-0x00000000009A0000-memory.dmp

Filesize
1024KB

Download
memory/1256-20-0x0000000003A70000-0x0000000003A86000-memory.dmp

Filesize
88KB

Download
memory/1256-4-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/1644-87-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-73-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-195-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-86-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-72-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-91-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-93-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-107-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-94-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1656-462-0x0000000072C30000-0x000000007331E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-309-0x0000000000B70000-0x0000000000BB0000-memory.dmp

Filesize
256KB

Download
memory/1656-307-0x0000000072C30000-0x000000007331E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-306-0x0000000000F60000-0x0000000000F7E000-memory.dmp

Filesize
120KB

Download
memory/1708-110-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1708-112-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/1940-263-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/1940-262-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2096-461-0x000000001AE80000-0x000000001AF00000-memory.dmp

Filesize
512KB

Download
memory/2096-456-0x0000000000BB0000-0x0000000000BC8000-memory.dmp

Filesize
96KB

Download
memory/2096-475-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download
memory/2096-474-0x0000000077050000-0x00000000771F9000-memory.dmp

Filesize
1.7MB

Download
memory/2096-464-0x0000000077050000-0x00000000771F9000-memory.dmp

Filesize
1.7MB

Download
memory/2096-457-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download
memory/2148-476-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2148-506-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2148-481-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2148-282-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2148-292-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2148-479-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2148-478-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2148-296-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2148-297-0x0000000077250000-0x0000000077251000-memory.dmp

Filesize
4KB

Download
memory/2148-294-0x00000000012B0000-0x00000000020DB000-memory.dmp

Filesize
14.2MB

Download
memory/2148-298-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2256-611-0x0000000072C30000-0x000000007331E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-459-0x0000000072C30000-0x000000007331E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-458-0x00000000046D0000-0x0000000004710000-memory.dmp

Filesize
256KB

Download
memory/2256-455-0x0000000000B90000-0x0000000000BAE000-memory.dmp

Filesize
120KB

Download
memory/2628-34-0x00000000004D0000-0x00000000005EB000-memory.dmp

Filesize
1.1MB

Download
memory/2628-30-0x0000000000360000-0x00000000003F2000-memory.dmp

Filesize
584KB

Download
memory/2628-31-0x0000000000360000-0x00000000003F2000-memory.dmp

Filesize
584KB

Download
memory/2644-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2644-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-40-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2644-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2644-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2668-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2668-5-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2668-1-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2668-3-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2692-21-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2692-18-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2692-19-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2976-270-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2976-265-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2976-268-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download