dcrat | 844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c

Analysis

max time kernel
300s
max time network
271s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c.exe
Size

232KB
MD5

185a1b0ab430f183de2e7596aad5e816
SHA1

675a4ea811895114f2a5175840ad133e45a92da3
SHA256

844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c
SHA512

5d1a813849071833f58892cd1a96f93fc3fc74f4b186d02805acebea139a8d155769b4f163461bb4d67f5f855fc464f46fe806ee83cd6aac3017b0d9886b9c57
SSDEEP

3072:9XWBXnn0gEQrq4rkmhKVUi9wwMq8x5G5fXMqzX5HSaZJB:8D5BrkmhfHDqG5CP7wO

Score

10^/10

dcrat djvu redline sectoprat smokeloader vidar 655507914130aa0fe72362726c206a7c exodus pub1 backdoor discovery infostealer persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.ldhy
offline_id
pIGzEr0bxHiTz7xnvNidWeqzKkxMfVdHTyCkzwt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-hPAqznkJKD Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0849ASdw

rsa_pubkey.plain

Extracted

Family

redline

Botnet

Exodus

93.123.39.68:1334

Extracted

Family

vidar

Version

7.7

Botnet

655507914130aa0fe72362726c206a7c

https://t.me/newagev

https://steamcommunity.com/profiles/76561199631487327

Attributes

profile_id_v2
655507914130aa0fe72362726c206a7c

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exe844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c.exe974.exe

pid	process
2888	schtasks.exe
2052	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ac34063a-7bf1-4944-8c40-4a8064d1ce2e\\974.exe\" --AutoStart"	974.exe

Detect Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2108-184-0x0000000000230000-0x0000000000261000-memory.dmp	family_vidar_v7
behavioral1/memory/2240-186-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2240-485-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2768-37-0x0000000001D50000-0x0000000001E6B000-memory.dmp	family_djvu
behavioral1/memory/2744-81-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2744-86-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2744-88-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2744-115-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-133-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-134-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-148-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-147-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-165-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-158-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-379-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CFF0.exe	family_redline
behavioral1/memory/1064-154-0x0000000000BE0000-0x0000000000BFE000-memory.dmp	family_redline
behavioral1/memory/2276-480-0x0000000000900000-0x000000000091E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CFF0.exe	family_sectoprat
behavioral1/memory/1064-154-0x0000000000BE0000-0x0000000000BFE000-memory.dmp	family_sectoprat
behavioral1/memory/2276-480-0x0000000000900000-0x000000000091E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

1272

pid	process
1272

Executes dropped EXE 18 IoCs

Processes:

F299.exe974.exeA67E.exe974.exe974.exe974.exeCFF0.exebuild2.exebuild2.exebuild3.exebuild3.exeasdjijjjjj.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
2700	F299.exe
2768	974.exe
1976	A67E.exe
2744	974.exe
2956	974.exe
2440	974.exe
1064	CFF0.exe
2108	build2.exe
2240	build2.exe
2580	build3.exe
2264	build3.exe
2276	asdjijjjjj.exe
2676	mstsca.exe
1928	mstsca.exe
2832	mstsca.exe
2420	mstsca.exe
2368	mstsca.exe
2028	mstsca.exe

Loads dropped DLL 21 IoCs

Processes:

974.exeWerFault.exe974.exe974.exe974.exeWerFault.exeCFF0.exe

pid	process
2768	974.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
2744	974.exe
2744	974.exe
2956	974.exe
2440	974.exe
2440	974.exe
2440	974.exe
2440	974.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1600	WerFault.exe
1064	CFF0.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

460 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
460	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

974.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ac34063a-7bf1-4944-8c40-4a8064d1ce2e\\974.exe\" --AutoStart"	974.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

59 api.2ip.ua
60 api.2ip.ua
72 api.2ip.ua

flow	ioc
59	api.2ip.ua
60	api.2ip.ua
72	api.2ip.ua

Suspicious use of SetThreadContext 7 IoCs

Processes:

974.exe974.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2768 set thread context of 2744	2768	974.exe	974.exe
PID 2956 set thread context of 2440	2956	974.exe	974.exe
PID 2108 set thread context of 2240	2108	build2.exe	build2.exe
PID 2580 set thread context of 2264	2580	build3.exe	build3.exe
PID 2676 set thread context of 1928	2676	mstsca.exe	mstsca.exe
PID 2832 set thread context of 2420	2832	mstsca.exe	mstsca.exe
PID 2368 set thread context of 2028	2368	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1672 1976 WerFault.exe A67E.exe
1600 2240 WerFault.exe build2.exe

pid	pid_target	process	target process
1672	1976	WerFault.exe	A67E.exe
1600	2240	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c.exeF299.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F299.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F299.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F299.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2888 schtasks.exe
2052 schtasks.exe

pid	process
2888	schtasks.exe
2052	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.exeasdjijjjjj.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	asdjijjjjj.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	asdjijjjjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c.exe

pid	process
3004	844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c.exe
3004	844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c.exeF299.exe

pid process

3004 844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c.exe
2700 F299.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

CFF0.exeasdjijjjjj.exe

description	pid	process
Token: SeShutdownPrivilege	1272
Token: SeShutdownPrivilege	1272
Token: SeShutdownPrivilege	1272
Token: SeDebugPrivilege	1064	CFF0.exe
Token: SeShutdownPrivilege	1272
Token: SeShutdownPrivilege	1272
Token: SeShutdownPrivilege	1272
Token: SeDebugPrivilege	2276	asdjijjjjj.exe
Token: SeShutdownPrivilege	1272

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

974.exeA67E.exe974.execmd.exe974.exe974.exebuild2.exe

description	pid	process	target process
PID 1272 wrote to memory of 2700	1272		F299.exe
PID 1272 wrote to memory of 2700	1272		F299.exe
PID 1272 wrote to memory of 2700	1272		F299.exe
PID 1272 wrote to memory of 2700	1272		F299.exe
PID 1272 wrote to memory of 2768	1272		974.exe
PID 1272 wrote to memory of 2768	1272		974.exe
PID 1272 wrote to memory of 2768	1272		974.exe
PID 1272 wrote to memory of 2768	1272		974.exe
PID 2768 wrote to memory of 2744	2768	974.exe	974.exe
PID 2768 wrote to memory of 2744	2768	974.exe	974.exe
PID 2768 wrote to memory of 2744	2768	974.exe	974.exe
PID 2768 wrote to memory of 2744	2768	974.exe	974.exe
PID 2768 wrote to memory of 2744	2768	974.exe	974.exe
PID 2768 wrote to memory of 2744	2768	974.exe	974.exe
PID 2768 wrote to memory of 2744	2768	974.exe	974.exe
PID 2768 wrote to memory of 2744	2768	974.exe	974.exe
PID 2768 wrote to memory of 2744	2768	974.exe	974.exe
PID 2768 wrote to memory of 2744	2768	974.exe	974.exe
PID 1272 wrote to memory of 1976	1272		A67E.exe
PID 1272 wrote to memory of 1976	1272		A67E.exe
PID 1272 wrote to memory of 1976	1272		A67E.exe
PID 1272 wrote to memory of 1976	1272		A67E.exe
PID 2768 wrote to memory of 2744	2768	974.exe	974.exe
PID 1976 wrote to memory of 1672	1976	A67E.exe	WerFault.exe
PID 1976 wrote to memory of 1672	1976	A67E.exe	WerFault.exe
PID 1976 wrote to memory of 1672	1976	A67E.exe	WerFault.exe
PID 1976 wrote to memory of 1672	1976	A67E.exe	WerFault.exe
PID 2744 wrote to memory of 460	2744	974.exe	icacls.exe
PID 2744 wrote to memory of 460	2744	974.exe	icacls.exe
PID 2744 wrote to memory of 460	2744	974.exe	icacls.exe
PID 2744 wrote to memory of 460	2744	974.exe	icacls.exe
PID 2744 wrote to memory of 2956	2744	974.exe	974.exe
PID 2744 wrote to memory of 2956	2744	974.exe	974.exe
PID 2744 wrote to memory of 2956	2744	974.exe	974.exe
PID 2744 wrote to memory of 2956	2744	974.exe	974.exe
PID 1272 wrote to memory of 2088	1272		cmd.exe
PID 1272 wrote to memory of 2088	1272		cmd.exe
PID 1272 wrote to memory of 2088	1272		cmd.exe
PID 2088 wrote to memory of 2500	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 2500	2088	cmd.exe	reg.exe
PID 2088 wrote to memory of 2500	2088	cmd.exe	reg.exe
PID 2956 wrote to memory of 2440	2956	974.exe	974.exe
PID 2956 wrote to memory of 2440	2956	974.exe	974.exe
PID 2956 wrote to memory of 2440	2956	974.exe	974.exe
PID 2956 wrote to memory of 2440	2956	974.exe	974.exe
PID 2956 wrote to memory of 2440	2956	974.exe	974.exe
PID 2956 wrote to memory of 2440	2956	974.exe	974.exe
PID 2956 wrote to memory of 2440	2956	974.exe	974.exe
PID 2956 wrote to memory of 2440	2956	974.exe	974.exe
PID 2956 wrote to memory of 2440	2956	974.exe	974.exe
PID 2956 wrote to memory of 2440	2956	974.exe	974.exe
PID 2956 wrote to memory of 2440	2956	974.exe	974.exe
PID 1272 wrote to memory of 1064	1272		CFF0.exe
PID 1272 wrote to memory of 1064	1272		CFF0.exe
PID 1272 wrote to memory of 1064	1272		CFF0.exe
PID 1272 wrote to memory of 1064	1272		CFF0.exe
PID 2440 wrote to memory of 2108	2440	974.exe	build2.exe
PID 2440 wrote to memory of 2108	2440	974.exe	build2.exe
PID 2440 wrote to memory of 2108	2440	974.exe	build2.exe
PID 2440 wrote to memory of 2108	2440	974.exe	build2.exe
PID 2108 wrote to memory of 2240	2108	build2.exe	build2.exe
PID 2108 wrote to memory of 2240	2108	build2.exe	build2.exe
PID 2108 wrote to memory of 2240	2108	build2.exe	build2.exe
PID 2108 wrote to memory of 2240	2108	build2.exe	build2.exe

C:\Users\Admin\AppData\Local\Temp\844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c.exe
"C:\Users\Admin\AppData\Local\Temp\844773f65b656c5423a201d3c2b5a470fc869303bb3e2dde19902e6bf1a2985c.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3004

C:\Users\Admin\AppData\Local\Temp\F299.exe
C:\Users\Admin\AppData\Local\Temp\F299.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2700

C:\Users\Admin\AppData\Local\Temp\974.exe
C:\Users\Admin\AppData\Local\Temp\974.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Local\Temp\974.exe
C:\Users\Admin\AppData\Local\Temp\974.exe
2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ac34063a-7bf1-4944-8c40-4a8064d1ce2e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:460

C:\Users\Admin\AppData\Local\Temp\974.exe
"C:\Users\Admin\AppData\Local\Temp\974.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2956

C:\Users\Admin\AppData\Local\Temp\974.exe
"C:\Users\Admin\AppData\Local\Temp\974.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\e0c47caa-8624-492d-a1b9-8c87d17c039b\build2.exe
"C:\Users\Admin\AppData\Local\e0c47caa-8624-492d-a1b9-8c87d17c039b\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\e0c47caa-8624-492d-a1b9-8c87d17c039b\build2.exe
"C:\Users\Admin\AppData\Local\e0c47caa-8624-492d-a1b9-8c87d17c039b\build2.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1480
7⤵
- Loads dropped DLL
- Program crash
PID:1600

C:\Users\Admin\AppData\Local\e0c47caa-8624-492d-a1b9-8c87d17c039b\build3.exe
"C:\Users\Admin\AppData\Local\e0c47caa-8624-492d-a1b9-8c87d17c039b\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2580

C:\Users\Admin\AppData\Local\e0c47caa-8624-492d-a1b9-8c87d17c039b\build3.exe
"C:\Users\Admin\AppData\Local\e0c47caa-8624-492d-a1b9-8c87d17c039b\build3.exe"
6⤵
- Executes dropped EXE
PID:2264

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- DcRat
- Creates scheduled task(s)
PID:2888

C:\Users\Admin\AppData\Local\Temp\A67E.exe
C:\Users\Admin\AppData\Local\Temp\A67E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 96
2⤵
- Loads dropped DLL
- Program crash
PID:1672

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\C287.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\CFF0.exe
C:\Users\Admin\AppData\Local\Temp\CFF0.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Users\Admin\AppData\Local\Temp\asdjijjjjj.exe
"C:\Users\Admin\AppData\Local\Temp\asdjijjjjj.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\system32\taskeng.exe
taskeng.exe {10D25E92-0700-45E9-99CB-E37686D4E271} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
PID:2200

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2676

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1928

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- DcRat
- Creates scheduled task(s)
PID:2052

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2832

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2420

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2368

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
f6d38556e96bdb48719f20d3648283c0

SHA1
669b2a387561e11322bfb9a3824671860512ab40

SHA256
45a081b2a78d7804f147e4e9e7f362737d40bda2f17f8119dc4fc5645cd0e609

SHA512
6103203deb0ddf8307bf1ba06a81f200babcc73b228168b1a3c3309d4b01680c51c627921db0b43b8025ec4b91489a7a8574cccf786299850c387dba0e7f8190

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
8f905dc06b3769fbec7d76db0988bf7b

SHA1
0a0b7dc08b9a746d55e490c3b84b1e0bb10c50fd

SHA256
5571c3a09741ef38563086cf20e9c96ef81ae40e10c9260b2e88cedfda07a309

SHA512
935e1288ef8ed0d7142dcabb918bde7898900e8906384a4af99be66d971e84b82dda3b45fbd267c2ab6869fe275a08a0931e06fbf6aca13e8206c4cb949243af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2b1fe93cacddbdbf45bdd188b8b5ad35

SHA1
116defa97033e60f846866638f624c8aac305c95

SHA256
3b5e080e2406082af0b0c1c066ef9f38aa761da4627898603e3fb72c6cd14388

SHA512
871b6943942684041c709c0875780a2639f178b8b1e22afa9d28070e8662c199afe2a9beb383b623f206c8ae22b984c0a3b6f366e6873234561492679f691139

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9f99574013a3bc456b2d9afa14d012d3

SHA1
d611c3c564dba1087dfe27455a62116cf0a0824f

SHA256
8f4f9d2c7d23c0e93741fb9e94f85ee9dcb974f89e7cb56b529dded62e4fe681

SHA512
62088ef8efe9ceaf8671e6ad2b39ee52b0ee956ce8ccba8e692adc1cb3dfcf9739dee60a40618334c33ee2054fdfb75288ec56693ad62ccf143f0cea0e2d5e8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b302e0f453328fa2fef36595a12c55b5

SHA1
d1952ae4817d798921b1fd308a748ceb847d2efb

SHA256
71a4a4bf9ecf1513a2ff73871c83cab0d67ff24f983130addfc2fa597cdbc42e

SHA512
6ef7cbc29c40be0b99e29ce88a6f2b9ca34fd319fe8a9de9024662d8c08f81510ea2d21e96a4d21c7aef9d86c4597a9271ea708236c1a41712258d6481071ca7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
50769b57b1ab77e694c7b77600cd05fa

SHA1
125c9532d55773079cdaa0cc732052bef8b664c1

SHA256
20ca2058fadade81e655631b67d592b86e694c59e76c099a1656839fe5c05a4a

SHA512
f5ccc6ac9e26d9aa771d9349d1c45ca7f51cf62aacaa9af2dffb65fb23842301076f18b3cc35ba7fb7441f51734f877bf4c6b7086d49a3511ac0bb6c54ae4f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\974.exe
Filesize
463KB

MD5
0d6ea18a0130c2c4048e5584be2da8fd

SHA1
fd698a0647afbb2bde56b235ca857d946c32f241

SHA256
afb3d8b0c2a05c1110f853cbee6a8beb4bdd2eb7cb5f818c3cfae508afdb088b

SHA512
1662b7a3edcc0b2edf75c886a5715b1049b77955041afa0fc57c35c1d4d7aaf438810140005e00191bafae268866543ab41e2bfedada970efb6742d06f573998

Download Submit
C:\Users\Admin\AppData\Local\Temp\974.exe
Filesize
377KB

MD5
f20667212971887331e5ec938a8da946

SHA1
70fcd553ebd3ff0440a2bfaf72201ffdb81f76e5

SHA256
f37064df0b1700489c94b54d61293b347c13e6362bc23e74925bf5d31a14fd5c

SHA512
a69fb72451e17af7625f465ab3a5d3154a71712613ece80564294209eedb9b4225ac9ae8c47449f3dbd6ca06dd237a20ea241e232cde7b29ca7dd0a699d59c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\974.exe
Filesize
304KB

MD5
62ccd100f6042fa23f8e772dbd5faf92

SHA1
acc33dd6cb94f5cde775758504593d570ff65963

SHA256
b78dfb72769fba8bd3eda4689a2b9f302ae3673ea0a78bae0a11c48be6fa29d9

SHA512
f61b9feb2b773aa2c05ecd13beb2637efb77f366959a46668136a3a4097e0da62e71c5b0459f4ff543647ebfba3b0a520aa7d6d1403cd9fa39673310e2024e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\974.exe
Filesize
728KB

MD5
762ba1aff6bacca1f01a4bd8c6af3258

SHA1
2a0584ca791c25b7c0ef610f4e6a84b7a967cbf5

SHA256
02164a26984198d45d80ec8a7b86b33395fa4305c2431f9320df7af7ed61a631

SHA512
742ad8520f2f7b077139056c1651c62c046805f97c7a82d82e9b0cf8c4445745ca631ee3724ad5272c0cede6818be8293f2b0c3dc1ca13e8d88c8b23a54a2333

Download Submit
C:\Users\Admin\AppData\Local\Temp\A67E.exe
Filesize
3.4MB

MD5
7519193ca98e52804d0cced5bcf56c4d

SHA1
330720f331e640e5c326976e0b9f02b7e39f3dbe

SHA256
1a8b72f1335c0d9c99fc61358b96a309946efdd70a84ff6af77e3fc2f66c2702

SHA512
1bcd42ab51dc29ac2debffd07241b9974a6b8796a24ff5c99e824be0a9e6e9e1602756cda1d175bc58e027820501b52f2e352c25ce8cce8a91e0793fd3cec50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A67E.exe
Filesize
3.7MB

MD5
d3c52b33fbfe9ab685ea23e20ba9ed5f

SHA1
4b4abbdac8e083c71162008ee5eb26b1d91dd3f3

SHA256
dd5f0107397133ece4d4d15cc3d14831ff227e9027e3b4bce83da23f0225eed5

SHA512
61a84dc8720b35ad59c8d8be5ef800c9c2945beccc8e28a5b0ccd8a4f8c46e67e011ba5cc4a06a43364e8e0d66c6c0d95dbae704fd7f50a69422a1d45bd08ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C287.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFF0.exe
Filesize
95KB

MD5
57935225dcb95b6ed9894d5d5e8b46a8

SHA1
1daf36a8db0b79be94a41d27183e4904a1340990

SHA256
79d7b0f170471f44ed6c07ddb4c4c9bb20c97235aef23ac052e692cb558a156d

SHA512
1b6362bdb7f6b177773357f5fe8e7d7ee44716fd8e63e663e446f4e204af581491d05345c12cd9cca91fd249383817da21ef2241011cdc251b7e299560ea48c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC810.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F299.exe
Filesize
229KB

MD5
d10ceb31dff3ca0c51709fa32cfa078e

SHA1
6c07a177d886c49d96aa47ae19a6672120592c8c

SHA256
f6ccdda55b0298c9cd9c5dedd9a929bd370e6855edbf6cb0e66b4d9af610d139

SHA512
82118dbb5fdfb5e19e2db72774d5a6e86d5a1a238eac93072ccc9ecdaa6755e6ae51082ffaa9e49aed882f95719bb41c5472149d2beff0cb43902e52c5415f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE3FA.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3758.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF6E.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF84.tmp
Filesize
92KB

MD5
c5ab22deca134f4344148b20687651f4

SHA1
c36513b27480dc2d134cefb29a44510a00ec988d

SHA256
1e9bd8064ca87d8441e2702005ef8df9a3647d5542740737abb8a70be7ec9512

SHA512
550f45132525e967d749106b9d3b114d17b066967527bfd5c66613d61b6f3995f87b0f3c09def19eed14b5b757f2501645b5103505d126f1dd66994f50e1257e

Download Submit
C:\Users\Admin\AppData\Local\e0c47caa-8624-492d-a1b9-8c87d17c039b\build3.exe
Filesize
64KB

MD5
8b6a819c6926597dfa7529b692d7a6cc

SHA1
50c535e9cca464afd3a589d2231d87ce417d4312

SHA256
b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c

SHA512
dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9

Download Submit
\Users\Admin\AppData\Local\Temp\974.exe
Filesize
691KB

MD5
9bc83f0fe47c0589fce5e803af9109d2

SHA1
02aa5714d30b1fcb085bc9673bc70e1b95ea14bb

SHA256
ec40422a7fcfdeca5e48ea8d5bd9109ca5c0d120279bb501deeb7a65673d8325

SHA512
d2c93ee23ed20ad6551dd11c8821e10baded6e73d7f51c0efeaa6cc3b6b4a5a988734561d5901d381f902ef740a0fb01734d9a17e012e25fc2a94b607ce7f071

Download Submit
\Users\Admin\AppData\Local\Temp\974.exe
Filesize
189KB

MD5
01b5b0240356994dcb06fb0529e1d8ab

SHA1
160135c6c1013f94fab8441ac4a9321ee1457bf7

SHA256
6f378fb62e61c12412c4fe2233376b5010b953fda425f023db70e323678ac93f

SHA512
56e0b79b94d41ded5fe6e57762dea5950cf7196dab2e5a245af7e177e2b4f878fa54ff15b25f3f46c555c7a89921722ce5e751c77b96e7428dd80475727f00c7

Download Submit
\Users\Admin\AppData\Local\Temp\974.exe
Filesize
300KB

MD5
d50fdc744968da1aa8461d2356d50960

SHA1
2d92432868b89b1afb39c21ba4666699159ff4c8

SHA256
b35e3c542b0f3bc13be20e50079dc94139ed75a0d1d824112abea4a9da07f452

SHA512
f30d43c76ca2bf0b2c5630ba1d9d3d510301a15cc70a7bd32610f3e3ebc6a71199a52d56aa776df2ec7ec8bde3d7e4425bec2d8b5ca06de0508818e5be8a4895

Download Submit
\Users\Admin\AppData\Local\Temp\A67E.exe
Filesize
3.9MB

MD5
30bb0a7a86b487feda4d26c0328adc5d

SHA1
3743fb22ae2cf05da2730e7acfb879eb5515c412

SHA256
ef37d3cfe0c9991644c4bfdb7d2b4fe6eed2ff7c2c953cb45d9b5d1df404bed1

SHA512
2d8025c4f1709d446d2854cff9493315fc5741ae08a2f45460ac8705a27dca77e4faa884fab43871dffe455dfae946a6ded626e65fe91170fb5e071bd10de242

Download Submit
\Users\Admin\AppData\Local\Temp\A67E.exe
Filesize
4.3MB

MD5
124930b61e1c12136a28e5eeeb0629b8

SHA1
61f34e7e46886856054720a260137de5443655a4

SHA256
68824c690cb3175b53da180a7b4e8d2ff1ee66ecd1d5d3c56b8aa967f0d509f2

SHA512
4b2853ef7275b15ad7008eb3847fd30369fe102ff525d286fc2197145e7020f0c307ce630abd5459fce460131e6bac4f5ca7a2c01e6c532b61270731e834313a

Download Submit
\Users\Admin\AppData\Local\Temp\A67E.exe
Filesize
4.6MB

MD5
a98afe870591063019ac7f6bac46fa38

SHA1
96146609c66279ae7d0c858d2a964b891aec88f2

SHA256
a8fe9642b407a95fe4fd2b5b34defe19dd16e6c786482b3bf7d441813f364d68

SHA512
136d4cdbf77081441ef5a44679afed6a8786eace8274b535071b17cdb53a83c483c1366a97d8e429403e0e476ea82b16b91d6103b56f35f49be11b7e11e737d8

Download Submit
\Users\Admin\AppData\Local\Temp\A67E.exe
Filesize
4.3MB

MD5
28818d062639fc6256322edc83ac5dd8

SHA1
e94377ce4f64b7a6db06dd48cdd590af246f949e

SHA256
b775f61d19d2431c40f3826420390c0fc82879223492a9e57ce61a6d9d69ad29

SHA512
e7e93d96014d47b5461e6dbbac45be26cac45042a4dd6c287d9f32715bf3016119c1ea80825fed7c99066d9bb25e79977e036230e4de7c0bdaec118aaa1f9baf

Download Submit
\Users\Admin\AppData\Local\Temp\A67E.exe
Filesize
2.7MB

MD5
118c9c1901d337c2d566e088275305d2

SHA1
6eaf260c29d754a7591e83c82dfdffebf07d0768

SHA256
499053d4a8f6cf650bfc1863fb3b7969947b672547f4b9b822d46deb0d277ed7

SHA512
a355d6cceec9e764332aef51f271ac1004368d43c5c048dce8f2c7066bca671930c5ca1f81e4b44134b199d20071936a73279b92445bbbc6176a1aa0ba7d2054

Download Submit
\Users\Admin\AppData\Local\e0c47caa-8624-492d-a1b9-8c87d17c039b\build2.exe
Filesize
332KB

MD5
a0cc1241aa4803dc23ff778af73e3768

SHA1
75d07c8f1784e8e64e7520c2666bc63c2a477ffa

SHA256
c0b12bbdcb41f6941d4356309fd8a43f61cbfd18eee044ff1771cbdbba248466

SHA512
3ccb46eca07827f5c86b31da5f7ab1b4a4b80f0cf3c1f8245c9ea57cf7c2244bc5f867a09696ce1c80cce38c631c7f6a13dca537b8e4b297735324f52cabb755

Download Submit
\Users\Admin\AppData\Local\e0c47caa-8624-492d-a1b9-8c87d17c039b\build3.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\e0c47caa-8624-492d-a1b9-8c87d17c039b\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/1064-483-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1064-176-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1064-159-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1064-482-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1064-472-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1064-154-0x0000000000BE0000-0x0000000000BFE000-memory.dmp

Filesize
120KB

Download
memory/1272-4-0x0000000002AA0000-0x0000000002AB6000-memory.dmp

Filesize
88KB

Download
memory/1272-21-0x0000000002E60000-0x0000000002E76000-memory.dmp

Filesize
88KB

Download
memory/1976-49-0x0000000000C70000-0x0000000001A9B000-memory.dmp

Filesize
14.2MB

Download
memory/1976-54-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1976-87-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1976-48-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1976-46-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1976-80-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1976-78-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1976-75-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1976-73-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1976-70-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1976-68-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1976-50-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1976-52-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1976-65-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1976-44-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1976-175-0x0000000000C70000-0x0000000001A9B000-memory.dmp

Filesize
14.2MB

Download
memory/1976-57-0x0000000077A00000-0x0000000077A01000-memory.dmp

Filesize
4KB

Download
memory/1976-63-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1976-60-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1976-58-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1976-55-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2028-644-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2108-184-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/2108-183-0x0000000000625000-0x000000000063F000-memory.dmp

Filesize
104KB

Download
memory/2240-186-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2240-485-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2264-277-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2276-480-0x0000000000900000-0x000000000091E000-memory.dmp

Filesize
120KB

Download
memory/2276-481-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2276-570-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2368-637-0x00000000008A0000-0x00000000009A0000-memory.dmp

Filesize
1024KB

Download
memory/2440-165-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-133-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-147-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-148-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-158-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-134-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-379-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2580-260-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2580-262-0x0000000000870000-0x0000000000970000-memory.dmp

Filesize
1024KB

Download
memory/2676-580-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2700-22-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2700-19-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/2700-20-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2744-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-115-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2744-88-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2744-81-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2744-86-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2768-34-0x0000000000280000-0x0000000000312000-memory.dmp

Filesize
584KB

Download
memory/2768-37-0x0000000001D50000-0x0000000001E6B000-memory.dmp

Filesize
1.1MB

Download
memory/2768-31-0x0000000000280000-0x0000000000312000-memory.dmp

Filesize
584KB

Download
memory/2832-609-0x00000000009A0000-0x0000000000AA0000-memory.dmp

Filesize
1024KB

Download
memory/2956-128-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/2956-117-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/3004-5-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3004-3-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3004-1-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/3004-2-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/3004-7-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download