dcrat | 8c48beff3a839cb1447e31b60301c92a98f867c64fe7811fd6641e3116dbf7e9

Analysis

max time kernel
300s
max time network
154s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c48beff3a839cb1447e31b60301c92a98f867c64fe7811fd6641e3116dbf7e9.exe
Size

225KB
MD5

74f12c8c7a4cd8231a5d8b456d38c7d9
SHA1

5d75858577ae6772013eb30a8638f0b9426bed7b
SHA256

8c48beff3a839cb1447e31b60301c92a98f867c64fe7811fd6641e3116dbf7e9
SHA512

adb4cab3f59b2c93a8e1f6dcdd54d8d2ee4da4e37a805a87ba5b654b213ceb26420ab6b6504499f39d178c39eb65dd3139d7fb56eddb3eec129ab6389492575e
SSDEEP

3072:MkVACTn0bruqXVH21bpL9bBOH+4+ZkSQ74/9DAhjGSXMrw5kLeW:ZoyqFH2t/dOH+d2SQS8hz+L

Score

10^/10

dcrat djvu redline sectoprat smokeloader vidar 655507914130aa0fe72362726c206a7c exodus pub1 backdoor discovery infostealer persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.ldhy
offline_id
pIGzEr0bxHiTz7xnvNidWeqzKkxMfVdHTyCkzwt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-hPAqznkJKD Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0849ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.7

Botnet

655507914130aa0fe72362726c206a7c

https://t.me/newagev

https://steamcommunity.com/profiles/76561199631487327

Attributes

profile_id_v2
655507914130aa0fe72362726c206a7c

Extracted

Family

redline

Botnet

Exodus

93.123.39.68:1334

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/728-131-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/500-134-0x0000000000230000-0x0000000000261000-memory.dmp	family_vidar_v7
behavioral1/memory/728-136-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/728-137-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/728-288-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2648-31-0x00000000004D0000-0x00000000005EB000-memory.dmp	family_djvu
behavioral1/memory/2804-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-33-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-80-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1936-90-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1936-91-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1936-108-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1936-107-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1936-112-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1936-115-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1936-114-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1936-138-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1936-229-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5111.exe	family_redline
behavioral1/memory/2532-372-0x0000000000FB0000-0x0000000000FCE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5111.exe	family_sectoprat
behavioral1/memory/2532-372-0x0000000000FB0000-0x0000000000FCE000-memory.dmp	family_sectoprat
behavioral1/memory/2532-374-0x0000000004990000-0x00000000049D0000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

1376

pid	process
1376

Executes dropped EXE 21 IoCs

Processes:

7E63.exe90EB.exe90EB.exe90EB.exe90EB.exebuild2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe41D3.exe5111.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
2364	7E63.exe
2648	90EB.exe
2804	90EB.exe
2728	90EB.exe
1936	90EB.exe
500	build2.exe
728	build2.exe
1480	build3.exe
1892	build3.exe
2608	mstsca.exe
1220	mstsca.exe
1904	41D3.exe
2532	5111.exe
2064	mstsca.exe
2020	mstsca.exe
2292	mstsca.exe
608	mstsca.exe
2148	mstsca.exe
1064	mstsca.exe
2776	mstsca.exe
624	mstsca.exe

Loads dropped DLL 20 IoCs

Processes:

90EB.exe90EB.exe90EB.exe90EB.exeWerFault.exeWerFault.exe

pid	process
2648	90EB.exe
2804	90EB.exe
2804	90EB.exe
2728	90EB.exe
1936	90EB.exe
1936	90EB.exe
1936	90EB.exe
1936	90EB.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1988 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1988	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

90EB.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\454712a0-af94-466c-9ec7-84a6e5967364\\90EB.exe\" --AutoStart"	90EB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 api.2ip.ua
23 api.2ip.ua
43 api.2ip.ua

flow	ioc
22	api.2ip.ua
23	api.2ip.ua
43	api.2ip.ua

Suspicious use of SetThreadContext 9 IoCs

Processes:

90EB.exe90EB.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2648 set thread context of 2804	2648	90EB.exe	90EB.exe
PID 2728 set thread context of 1936	2728	90EB.exe	90EB.exe
PID 500 set thread context of 728	500	build2.exe	build2.exe
PID 1480 set thread context of 1892	1480	build3.exe	build3.exe
PID 2608 set thread context of 1220	2608	mstsca.exe	mstsca.exe
PID 2064 set thread context of 2020	2064	mstsca.exe	mstsca.exe
PID 2292 set thread context of 608	2292	mstsca.exe	mstsca.exe
PID 2148 set thread context of 1064	2148	mstsca.exe	mstsca.exe
PID 2776 set thread context of 624	2776	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2644 728 WerFault.exe build2.exe
2620 1904 WerFault.exe 41D3.exe

pid	pid_target	process	target process
2644	728	WerFault.exe	build2.exe
2620	1904	WerFault.exe	41D3.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7E63.exe8c48beff3a839cb1447e31b60301c92a98f867c64fe7811fd6641e3116dbf7e9.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7E63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8c48beff3a839cb1447e31b60301c92a98f867c64fe7811fd6641e3116dbf7e9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8c48beff3a839cb1447e31b60301c92a98f867c64fe7811fd6641e3116dbf7e9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8c48beff3a839cb1447e31b60301c92a98f867c64fe7811fd6641e3116dbf7e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7E63.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7E63.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1732 schtasks.exe
2296 schtasks.exe

pid	process
1732	schtasks.exe
2296	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

90EB.exe90EB.exebuild2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	90EB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	90EB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	90EB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	90EB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	90EB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8c48beff3a839cb1447e31b60301c92a98f867c64fe7811fd6641e3116dbf7e9.exe

pid	process
1736	8c48beff3a839cb1447e31b60301c92a98f867c64fe7811fd6641e3116dbf7e9.exe
1736	8c48beff3a839cb1447e31b60301c92a98f867c64fe7811fd6641e3116dbf7e9.exe
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

8c48beff3a839cb1447e31b60301c92a98f867c64fe7811fd6641e3116dbf7e9.exe7E63.exe

pid process

1736 8c48beff3a839cb1447e31b60301c92a98f867c64fe7811fd6641e3116dbf7e9.exe
2364 7E63.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

5111.exe

description	pid	process
Token: SeShutdownPrivilege	1376
Token: SeShutdownPrivilege	1376
Token: SeShutdownPrivilege	1376
Token: SeShutdownPrivilege	1376
Token: SeDebugPrivilege	2532	5111.exe
Token: SeShutdownPrivilege	1376

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1376
1376
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1376
1376

pid	process
1376
1376

pid	process
1376
1376

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

90EB.exe90EB.exe90EB.exe90EB.exebuild2.exebuild3.exe

description	pid	process	target process
PID 1376 wrote to memory of 2364	1376		7E63.exe
PID 1376 wrote to memory of 2364	1376		7E63.exe
PID 1376 wrote to memory of 2364	1376		7E63.exe
PID 1376 wrote to memory of 2364	1376		7E63.exe
PID 1376 wrote to memory of 2648	1376		90EB.exe
PID 1376 wrote to memory of 2648	1376		90EB.exe
PID 1376 wrote to memory of 2648	1376		90EB.exe
PID 1376 wrote to memory of 2648	1376		90EB.exe
PID 2648 wrote to memory of 2804	2648	90EB.exe	90EB.exe
PID 2648 wrote to memory of 2804	2648	90EB.exe	90EB.exe
PID 2648 wrote to memory of 2804	2648	90EB.exe	90EB.exe
PID 2648 wrote to memory of 2804	2648	90EB.exe	90EB.exe
PID 2648 wrote to memory of 2804	2648	90EB.exe	90EB.exe
PID 2648 wrote to memory of 2804	2648	90EB.exe	90EB.exe
PID 2648 wrote to memory of 2804	2648	90EB.exe	90EB.exe
PID 2648 wrote to memory of 2804	2648	90EB.exe	90EB.exe
PID 2648 wrote to memory of 2804	2648	90EB.exe	90EB.exe
PID 2648 wrote to memory of 2804	2648	90EB.exe	90EB.exe
PID 2648 wrote to memory of 2804	2648	90EB.exe	90EB.exe
PID 2804 wrote to memory of 1988	2804	90EB.exe	icacls.exe
PID 2804 wrote to memory of 1988	2804	90EB.exe	icacls.exe
PID 2804 wrote to memory of 1988	2804	90EB.exe	icacls.exe
PID 2804 wrote to memory of 1988	2804	90EB.exe	icacls.exe
PID 2804 wrote to memory of 2728	2804	90EB.exe	90EB.exe
PID 2804 wrote to memory of 2728	2804	90EB.exe	90EB.exe
PID 2804 wrote to memory of 2728	2804	90EB.exe	90EB.exe
PID 2804 wrote to memory of 2728	2804	90EB.exe	90EB.exe
PID 2728 wrote to memory of 1936	2728	90EB.exe	90EB.exe
PID 2728 wrote to memory of 1936	2728	90EB.exe	90EB.exe
PID 2728 wrote to memory of 1936	2728	90EB.exe	90EB.exe
PID 2728 wrote to memory of 1936	2728	90EB.exe	90EB.exe
PID 2728 wrote to memory of 1936	2728	90EB.exe	90EB.exe
PID 2728 wrote to memory of 1936	2728	90EB.exe	90EB.exe
PID 2728 wrote to memory of 1936	2728	90EB.exe	90EB.exe
PID 2728 wrote to memory of 1936	2728	90EB.exe	90EB.exe
PID 2728 wrote to memory of 1936	2728	90EB.exe	90EB.exe
PID 2728 wrote to memory of 1936	2728	90EB.exe	90EB.exe
PID 2728 wrote to memory of 1936	2728	90EB.exe	90EB.exe
PID 1936 wrote to memory of 500	1936	90EB.exe	build2.exe
PID 1936 wrote to memory of 500	1936	90EB.exe	build2.exe
PID 1936 wrote to memory of 500	1936	90EB.exe	build2.exe
PID 1936 wrote to memory of 500	1936	90EB.exe	build2.exe
PID 500 wrote to memory of 728	500	build2.exe	build2.exe
PID 500 wrote to memory of 728	500	build2.exe	build2.exe
PID 500 wrote to memory of 728	500	build2.exe	build2.exe
PID 500 wrote to memory of 728	500	build2.exe	build2.exe
PID 500 wrote to memory of 728	500	build2.exe	build2.exe
PID 500 wrote to memory of 728	500	build2.exe	build2.exe
PID 500 wrote to memory of 728	500	build2.exe	build2.exe
PID 500 wrote to memory of 728	500	build2.exe	build2.exe
PID 500 wrote to memory of 728	500	build2.exe	build2.exe
PID 500 wrote to memory of 728	500	build2.exe	build2.exe
PID 500 wrote to memory of 728	500	build2.exe	build2.exe
PID 1936 wrote to memory of 1480	1936	90EB.exe	build3.exe
PID 1936 wrote to memory of 1480	1936	90EB.exe	build3.exe
PID 1936 wrote to memory of 1480	1936	90EB.exe	build3.exe
PID 1936 wrote to memory of 1480	1936	90EB.exe	build3.exe
PID 1480 wrote to memory of 1892	1480	build3.exe	build3.exe
PID 1480 wrote to memory of 1892	1480	build3.exe	build3.exe
PID 1480 wrote to memory of 1892	1480	build3.exe	build3.exe
PID 1480 wrote to memory of 1892	1480	build3.exe	build3.exe
PID 1480 wrote to memory of 1892	1480	build3.exe	build3.exe
PID 1480 wrote to memory of 1892	1480	build3.exe	build3.exe
PID 1480 wrote to memory of 1892	1480	build3.exe	build3.exe

C:\Users\Admin\AppData\Local\Temp\8c48beff3a839cb1447e31b60301c92a98f867c64fe7811fd6641e3116dbf7e9.exe
"C:\Users\Admin\AppData\Local\Temp\8c48beff3a839cb1447e31b60301c92a98f867c64fe7811fd6641e3116dbf7e9.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1736

C:\Users\Admin\AppData\Local\Temp\7E63.exe
C:\Users\Admin\AppData\Local\Temp\7E63.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2364

C:\Users\Admin\AppData\Local\Temp\90EB.exe
C:\Users\Admin\AppData\Local\Temp\90EB.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Local\Temp\90EB.exe
C:\Users\Admin\AppData\Local\Temp\90EB.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\454712a0-af94-466c-9ec7-84a6e5967364" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1988

C:\Users\Admin\AppData\Local\Temp\90EB.exe
"C:\Users\Admin\AppData\Local\Temp\90EB.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\90EB.exe
"C:\Users\Admin\AppData\Local\Temp\90EB.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\33de3baf-c4e5-4594-b105-c744bad6c8c9\build2.exe
"C:\Users\Admin\AppData\Local\33de3baf-c4e5-4594-b105-c744bad6c8c9\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:500

C:\Users\Admin\AppData\Local\33de3baf-c4e5-4594-b105-c744bad6c8c9\build2.exe
"C:\Users\Admin\AppData\Local\33de3baf-c4e5-4594-b105-c744bad6c8c9\build2.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 1424
7⤵
- Loads dropped DLL
- Program crash
PID:2644

C:\Users\Admin\AppData\Local\33de3baf-c4e5-4594-b105-c744bad6c8c9\build3.exe
"C:\Users\Admin\AppData\Local\33de3baf-c4e5-4594-b105-c744bad6c8c9\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\33de3baf-c4e5-4594-b105-c744bad6c8c9\build3.exe
"C:\Users\Admin\AppData\Local\33de3baf-c4e5-4594-b105-c744bad6c8c9\build3.exe"
6⤵
- Executes dropped EXE
PID:1892

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\taskeng.exe
taskeng.exe {0DA8FFED-3AB5-47B4-A3A9-2D42C71D7269} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
PID:1704

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2608

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1220

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2064

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2020

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2292

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:608

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2148

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1064

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2776

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:624

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:2296

C:\Users\Admin\AppData\Local\Temp\41D3.exe
C:\Users\Admin\AppData\Local\Temp\41D3.exe
1⤵
- Executes dropped EXE
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 96
2⤵
- Loads dropped DLL
- Program crash
PID:2620

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
1⤵
PID:1044

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4AE8.bat" "
1⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\5111.exe
C:\Users\Admin\AppData\Local\Temp\5111.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
f6d38556e96bdb48719f20d3648283c0

SHA1
669b2a387561e11322bfb9a3824671860512ab40

SHA256
45a081b2a78d7804f147e4e9e7f362737d40bda2f17f8119dc4fc5645cd0e609

SHA512
6103203deb0ddf8307bf1ba06a81f200babcc73b228168b1a3c3309d4b01680c51c627921db0b43b8025ec4b91489a7a8574cccf786299850c387dba0e7f8190

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
eb6319422b636d82058405738784d376

SHA1
9653685d22e182e4960ec5ece937ac6ddc89dda4

SHA256
546bbac803ab96fc568b2811ea4eaa7c9c85030a5f1e031cd53458c541e2671e

SHA512
93b64c8c247902dc32e17671f1a9db615a6e762fb3d483a411d37ae2bc69147ae865a00d7757917e653bbddb9ea70cb56615fef787b1c28a6de9a35d826e2171

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a3f3dae9a6e6bf95519ae31a27c86b52

SHA1
6f0e042df0738d0ffdf213393abb48ae17be06c5

SHA256
7c0126eb11bf09c2e7e888489456978a88f7017d1b485992f8854804a11bbbcb

SHA512
c7d16dab71c55f3e9ad74a65c92201cbf7fdf424fcfb4cc6b42b9a575cb2c0a99d61d3f9bd7030ee7b9c8fe4f0eb6f2571eb491c6269abf182d97eab187a9fbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
72bd09a01911e347b42e80acdf958f55

SHA1
1085a7d66259b1ff18dbdd515eaeb3701f9e25aa

SHA256
d9aecec155232dff1db078504bde5b7fbf276863f2b80df11b3df20bd9e9ff96

SHA512
0bff7bb975de3a213b5bddaecc78763967ca97ede66a8eaaabadb3981dc3b3f8a2e34864187b6725c9b453abf2996b53eafb2c5b31bad2211259baf4e71950cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
503e0f9c9ce1c18b549328f79e7088db

SHA1
8f4cd18a3b1d8d0724f7972fe6b3a5dfe9cc9c28

SHA256
74b756827559b2e9384108973cca22e64a6c42d75251e42063b5cbbeefa8fdf3

SHA512
eb5397c78dc44c85b64e4d30af1e776e0a7ab340cc08e3adc5a49208e88767c4afa5667198c2bf85680676b18e2e6db9242101275d30cddc5757a01c82731855

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
620d1348929c93613775936d67d16efb

SHA1
21779cb48c0051ec0695cda02ad2b23a2449a9c1

SHA256
3ea10029b61fc59db6a42d77816e0adde2c0aacfcbbe04f9fc27c00906f6e5ce

SHA512
0db8f63a19f96392a3142475b6883d9b9fc256df166378b40593e4126eeb9b194d4c79fe6ac95ede2905b7ca819be493cd8aed465b320ee3cfbc1a7669f324d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
4e68b3ed245d8f6b549f39709fc454ce

SHA1
f2077991d17a16038ffba047d8611ca02665859b

SHA256
657f8f063b35a8a3f082111699007692ae7960d7431870288aaca358b79ee1de

SHA512
522f4b5b4fabfb1f6e3789b7be9a37db274722d49cf300860275254519f158f08ea48b545591b1f897519406287623d5c24e936e37b25daff70d49f01969b31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\41D3.exe
Filesize
2.5MB

MD5
3feba590f1a75c75bfa1cb49fe977cee

SHA1
11ec959a97ac3f7c98762e113464bd40701d547b

SHA256
b3032f2ce85501f48a94bf10b8d56d8acf91a459e475044aab6ecd9260bacc4f

SHA512
970e78819d02da7605c1c8ab449a4db416a98fc7ef85146fe5684839aecffc20bd2f2df85c88ede554f1e245dd066daa52d8db199aee484b5be1c5073cb64278

Download Submit
C:\Users\Admin\AppData\Local\Temp\41D3.exe
Filesize
2.0MB

MD5
60654e5a93d6f383a18e0eb8c8ab487d

SHA1
c713613157588bed01a5924a969a0b1f403d0539

SHA256
ca25056aa9f9fe653223bddbbf1e8de028a2c5ee04a4fade61a957039f10a5c1

SHA512
8de2c8b7fe5c89f2306d62657b007ccc092554f9f86fa4fcc48ec887541d2003c5be3c5ed4b65f53ebffb88754264bc9b6007fc218660d705bf0d7852bbb4be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4AE8.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\5111.exe
Filesize
95KB

MD5
57935225dcb95b6ed9894d5d5e8b46a8

SHA1
1daf36a8db0b79be94a41d27183e4904a1340990

SHA256
79d7b0f170471f44ed6c07ddb4c4c9bb20c97235aef23ac052e692cb558a156d

SHA512
1b6362bdb7f6b177773357f5fe8e7d7ee44716fd8e63e663e446f4e204af581491d05345c12cd9cca91fd249383817da21ef2241011cdc251b7e299560ea48c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E63.exe
Filesize
229KB

MD5
d10ceb31dff3ca0c51709fa32cfa078e

SHA1
6c07a177d886c49d96aa47ae19a6672120592c8c

SHA256
f6ccdda55b0298c9cd9c5dedd9a929bd370e6855edbf6cb0e66b4d9af610d139

SHA512
82118dbb5fdfb5e19e2db72774d5a6e86d5a1a238eac93072ccc9ecdaa6755e6ae51082ffaa9e49aed882f95719bb41c5472149d2beff0cb43902e52c5415f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\90EB.exe
Filesize
728KB

MD5
762ba1aff6bacca1f01a4bd8c6af3258

SHA1
2a0584ca791c25b7c0ef610f4e6a84b7a967cbf5

SHA256
02164a26984198d45d80ec8a7b86b33395fa4305c2431f9320df7af7ed61a631

SHA512
742ad8520f2f7b077139056c1651c62c046805f97c7a82d82e9b0cf8c4445745ca631ee3724ad5272c0cede6818be8293f2b0c3dc1ca13e8d88c8b23a54a2333

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9944.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A90.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6AA5.tmp
Filesize
92KB

MD5
69b4e9248982ac94fa6ee1ea6528305f

SHA1
6fb0e765699dd0597b7a7c35af4b85eead942e5b

SHA256
53c5e056da67d60a3b2872f8d4bda857f687be398ed05ed17c102f4c4b942883

SHA512
5cb260ab12c8cf0f134c34ae9533ac06227a0c3bdb9ad30d925d3d7b96e6fae0825c63e7db3c78852dc2a053767bbcfdd16898531509ffadade2dd7149f6241d

Download Submit
\Users\Admin\AppData\Local\33de3baf-c4e5-4594-b105-c744bad6c8c9\build2.exe
Filesize
332KB

MD5
a0cc1241aa4803dc23ff778af73e3768

SHA1
75d07c8f1784e8e64e7520c2666bc63c2a477ffa

SHA256
c0b12bbdcb41f6941d4356309fd8a43f61cbfd18eee044ff1771cbdbba248466

SHA512
3ccb46eca07827f5c86b31da5f7ab1b4a4b80f0cf3c1f8245c9ea57cf7c2244bc5f867a09696ce1c80cce38c631c7f6a13dca537b8e4b297735324f52cabb755

Download Submit
\Users\Admin\AppData\Local\33de3baf-c4e5-4594-b105-c744bad6c8c9\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
\Users\Admin\AppData\Local\Temp\41D3.exe
Filesize
1.8MB

MD5
5de51470e6aa1401c7c0b86d1e591dce

SHA1
aaf9b68a9ca93474e2f21ba1636af0270bae4919

SHA256
e546c49f0cab0ca10a07699edf2583aebefab9c3596c3a1e822d7e03506fb5d0

SHA512
cee716bba57402479cc99ba4f22c1d1a5e21c638cc41b3eee22c1b0087044852d2d19151d70bbecd731c64d93c0aa37b81698c1df7bb7ef7c2b1ad7635064976

Download Submit
\Users\Admin\AppData\Local\Temp\41D3.exe
Filesize
2.0MB

MD5
9faa1ae1201ff875b92654fe832158fc

SHA1
34181f50e159dc5b232c4925cfcbea701b3019b8

SHA256
9a9652f140da61ab208217194def94ffe6941c70c91837a4e7b28f701dee5eff

SHA512
739780671e450296c8da45b142352f88564fb1c37a56792bb498ef7a6cb44e5eee1ad54b1ecff4443b111899d5b5fb5abee06464e012fb9760e0bb7454cd5a7d

Download Submit
\Users\Admin\AppData\Local\Temp\41D3.exe
Filesize
1.7MB

MD5
9aa9626184e4db2ccf9c28481d607281

SHA1
43aaa7b8e691f45d93c5da20f09351362ce6fb51

SHA256
4da1b8a3dfd36f5a967be450863e01f674be68f82d23b163717bcf9388320b90

SHA512
ef0a271bd5b5b54c4969833aa9f98d12a7ff8487b4266728cf7b88979cef496f99883d4690f649cd69616f58fbf9de1d879caedc232967ba9397d6e695368d4b

Download Submit
\Users\Admin\AppData\Local\Temp\41D3.exe
Filesize
2.1MB

MD5
8f56a56b4beeaedd73e55b59122f3d5a

SHA1
09f78a311089dd3145bc517c724a356621a6b5f3

SHA256
6026bf990cd96bf799b494df97b6ef7fa16d882b93873a911ef875ead06695c9

SHA512
13a5f40990810834190d8ecd7f3b3e8564ace14c4c93a91fdfe4ce56ead93d9e761e4e77916621c1ff67d41dcf074f329e77012fe3e7331a1745b2a3316eaba7

Download Submit
\Users\Admin\AppData\Local\Temp\41D3.exe
Filesize
1.5MB

MD5
dcc441adb9d1dc532cd2ed9827bdde3e

SHA1
2dc83aa3b5a1dbfc38aa6115b122bac7ead14719

SHA256
e5b1444aaac70af5f06a5ca6b4e5a68866dfcba2685da06d8ab8eaaa8d1cf9cd

SHA512
bf6f9e08ce39e57e9e62282c854e3b37521c7f7763dd2fa40ca777efc55ca9792dc4acf888eb0a07bf2ac00b11920d43c3c29f445d4feffa0fc398598844131b

Download Submit
memory/500-134-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/500-132-0x0000000000890000-0x0000000000990000-memory.dmp

Filesize
1024KB

Download
memory/728-288-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/728-137-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/728-136-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/728-131-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/728-129-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1376-4-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

Filesize
88KB

Download
memory/1376-38-0x0000000003EE0000-0x0000000003EF6000-memory.dmp

Filesize
88KB

Download
memory/1480-269-0x0000000000870000-0x0000000000970000-memory.dmp

Filesize
1024KB

Download
memory/1480-271-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1736-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1736-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1736-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/1736-1-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1892-272-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1892-276-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1892-275-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1904-319-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1904-312-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1904-356-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1904-322-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1904-494-0x0000000000390000-0x00000000011BB000-memory.dmp

Filesize
14.2MB

Download
memory/1904-320-0x0000000077A50000-0x0000000077A51000-memory.dmp

Filesize
4KB

Download
memory/1904-318-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1904-317-0x0000000000390000-0x00000000011BB000-memory.dmp

Filesize
14.2MB

Download
memory/1904-315-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1936-107-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1936-138-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1936-114-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1936-229-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1936-90-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1936-91-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1936-108-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1936-115-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1936-112-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2064-514-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2148-571-0x00000000002F2000-0x0000000000302000-memory.dmp

Filesize
64KB

Download
memory/2292-541-0x0000000000952000-0x0000000000962000-memory.dmp

Filesize
64KB

Download
memory/2364-39-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2364-18-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2364-19-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2532-372-0x0000000000FB0000-0x0000000000FCE000-memory.dmp

Filesize
120KB

Download
memory/2532-373-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-495-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-374-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/2608-298-0x0000000000C72000-0x0000000000C82000-memory.dmp

Filesize
64KB

Download
memory/2648-26-0x0000000000260000-0x00000000002F2000-memory.dmp

Filesize
584KB

Download
memory/2648-27-0x0000000000260000-0x00000000002F2000-memory.dmp

Filesize
584KB

Download
memory/2648-31-0x00000000004D0000-0x00000000005EB000-memory.dmp

Filesize
1.1MB

Download
memory/2728-82-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/2728-84-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/2776-598-0x00000000008B2000-0x00000000008C2000-memory.dmp

Filesize
64KB

Download
memory/2804-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-33-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-80-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download