ploutus | 22224274b8cae5885476e60705675edb03845d3728ab207fb0ab20dda464e66d

Analysis

max time kernel
171s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
Size

63.9MB
MD5

f49e304a05be6fb206a6ead8130ae8b6
SHA1

d9bed284d019da309ef9eb21f7dc537b12270c0a
SHA256

22224274b8cae5885476e60705675edb03845d3728ab207fb0ab20dda464e66d
SHA512

66b776a7cc9b3fa08388e4f6b8505451eae1ac197804a68f09d1637d5c029e61d144cff0fbe834203851fcb83011e20fbe2e66c1613de424cc70ed5d1589d3bf
SSDEEP

786432:exS05J4yh46IoWZXoCysKIeHtQj5KYS3WP:eD5JUXoCysKIPQYS3WP

Score

10^/10

ploutus atm backdoor spyware stealer

Malware Config

Signatures

Detected Ploutus loader 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0006000000015c81-47.dat	family_ploutus
behavioral1/files/0x0009000000015c76-97.dat	family_ploutus

Ploutus
Ploutus is an ATM malware written in C#.
backdoor atm ploutus

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0006000000015c76-8.dat	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables manipulated with Fody 5 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0006000000015c81-47.dat	INDICATOR_EXE_Packed_Fody
behavioral1/memory/1716-67-0x0000000001120000-0x000000000155A000-memory.dmp	INDICATOR_EXE_Packed_Fody
behavioral1/files/0x0009000000015c76-97.dat	INDICATOR_EXE_Packed_Fody
behavioral1/memory/1368-99-0x0000000000340000-0x00000000007EE000-memory.dmp	INDICATOR_EXE_Packed_Fody
behavioral1/memory/1516-355-0x00000000002E0000-0x000000000071A000-memory.dmp	INDICATOR_EXE_Packed_Fody

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0006000000015c76-8.dat	Nirsoft

Executes dropped EXE 7 IoCs

Processes:

tmp1400758481.exetmp3516376713.exetmp3587844254.exeLECmd.exetmp3916605633.exetmp3403595024.exetmp3587844254.exe

pid	Process
2672	tmp1400758481.exe
2588	tmp3516376713.exe
1716	tmp3587844254.exe
1368	LECmd.exe
3044	tmp3916605633.exe
2568	tmp3403595024.exe
1516	tmp3587844254.exe

Loads dropped DLL 8 IoCs

Processes:

2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe

pid	Process
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

LECmd.exetmp3587844254.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	LECmd.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	LECmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	tmp3587844254.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	LECmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	LECmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	LECmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	tmp3587844254.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tmp3587844254.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	LECmd.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	tmp3587844254.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	LECmd.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exetmp1400758481.exetmp3516376713.exetmp3916605633.exetmp3403595024.exe

pid	Process
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2672	tmp1400758481.exe
2588	tmp3516376713.exe
2588	tmp3516376713.exe
2672	tmp1400758481.exe
2588	tmp3516376713.exe
2672	tmp1400758481.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
3044	tmp3916605633.exe
3044	tmp3916605633.exe
3044	tmp3916605633.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2568	tmp3403595024.exe
2568	tmp3403595024.exe
2568	tmp3403595024.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exevssvc.exeLECmd.exe

description	pid	Process
Token: SeDebugPrivilege	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
Token: SeBackupPrivilege	2548	vssvc.exe
Token: SeRestorePrivilege	2548	vssvc.exe
Token: SeAuditPrivilege	2548	vssvc.exe
Token: SeDebugPrivilege	1368	LECmd.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe

description	pid	Process	procid_target
PID 2556 wrote to memory of 2672	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	28
PID 2556 wrote to memory of 2672	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	28
PID 2556 wrote to memory of 2672	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	28
PID 2556 wrote to memory of 2588	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	29
PID 2556 wrote to memory of 2588	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	29
PID 2556 wrote to memory of 2588	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	29
PID 2556 wrote to memory of 1716	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	33
PID 2556 wrote to memory of 1716	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	33
PID 2556 wrote to memory of 1716	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	33
PID 2556 wrote to memory of 1368	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	34
PID 2556 wrote to memory of 1368	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	34
PID 2556 wrote to memory of 1368	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	34
PID 2556 wrote to memory of 3044	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	36
PID 2556 wrote to memory of 3044	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	36
PID 2556 wrote to memory of 3044	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	36
PID 2556 wrote to memory of 2568	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	38
PID 2556 wrote to memory of 2568	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	38
PID 2556 wrote to memory of 2568	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	38
PID 2556 wrote to memory of 1516	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	39
PID 2556 wrote to memory of 1516	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	39
PID 2556 wrote to memory of 1516	2556	2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_f49e304a05be6fb206a6ead8130ae8b6_ekans_eternalromance.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\tmp1400758481.exe
  C:\Users\Admin\AppData\Local\Temp\tmp1400758481.exe /VisitTimeFilterType 1 /HistorySource 1 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /LoadSafari 1 /scomma C:\Users\Admin\AppData\Local\Temp\tmp1386517656.csv /SaveDirect
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\tmp3516376713.exe
  C:\Users\Admin\AppData\Local\Temp\tmp3516376713.exe /VisitTimeFilterType 1 /HistorySource 1 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /LoadSafari 1 /scomma C:\Users\Admin\AppData\Local\Temp\tmp1555510836.csv /SaveDirect
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\tmp3587844254.exe
  C:\Users\Admin\AppData\Local\Temp\tmp3587844254.exe -d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations --csv C:\Users\Admin\AppData\Local\Temp\tmp3711787888 -q
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\tmp2914104867\LECmd.exe
  C:\Users\Admin\AppData\Local\Temp\tmp2914104867\LECmd.exe -d c:/ --csv C:\Users\Admin\AppData\Local\Temp\tmp2914104867lecmd --csvf results.csv
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Users\Admin\AppData\Local\Temp\tmp3916605633.exe
  C:\Users\Admin\AppData\Local\Temp\tmp3916605633.exe /VisitTimeFilterType 1 /HistorySource 1 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /LoadSafari 1 /scomma C:\Users\Admin\AppData\Local\Temp\tmp324788543.csv /SaveDirect
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3044
- C:\Users\Admin\AppData\Local\Temp\tmp3403595024.exe
  C:\Users\Admin\AppData\Local\Temp\tmp3403595024.exe /VisitTimeFilterType 1 /HistorySource 1 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /LoadSafari 1 /scomma C:\Users\Admin\AppData\Local\Temp\tmp958342732.csv /SaveDirect
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\tmp3587844254.exe
  C:\Users\Admin\AppData\Local\Temp\tmp3587844254.exe -d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations --csv C:\Users\Admin\AppData\Local\Temp\tmp3711787888 -q
  2⤵
  - Executes dropped EXE
  PID:1516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
2KB

MD5
8d9448460e0a94996e6a664a8978f9f8

SHA1
7df4527abb581bde3db47d32fb43bc10f95f7e09

SHA256
4f68cefd16c7d6c1516230eec2a2612ee133f17f5a4d60ab2b7f986355bfc9bc

SHA512
5d4dd27394b8e57a72bd84e0e281d299b9cd2a071e298e8a2f64302fa095fa808a24986581579a0b39b238cf448ff3941369f8cddbc2c90c441386a7afc798db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
8d4355513fb93cf593c4424b6612117c

SHA1
1aa6714d01fbf97324c53afbc2f47654aa44b260

SHA256
50fcb7233d4f8d0ea75ff5e94edbc0e93b55c72a6bbd4a7ebd0adc3929b47379

SHA512
bdb65e0b8e2ce0c42b2deb289f71bdb3d4476eac2e4c3c01d072f48af243058989f1ecbff5e8ad705089d9064aa6dca3943820b095c03f69af02a6f490e48b3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_87080482E227A81FEA3DE5A553C20422

Filesize
510B

MD5
a67eb9e29d8be5646808f0b6382f9ed3

SHA1
36f4ac3a5b2eb3bdd523dcd21b2a50c549864c08

SHA256
02d6ac9ef6eb927d7ede2bd5b429f9c175545e6363569a2e6e72623b5cb4d40d

SHA512
ae979261fbcb3f95350ec754774a209fcfc54535d8d9b5115dbb9eaf4f26f95d53bcabdd8b4d2b3ca503126b826abd6464297570f8c2ea51e3a7b589dec163dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD

Filesize
1KB

MD5
285ec909c4ab0d2d57f5086b225799aa

SHA1
d89e3bd43d5d909b47a18977aa9d5ce36cee184c

SHA256
68b9c761219a5b1f0131784474665db61bbdb109e00f05ca9f74244ee5f5f52b

SHA512
4cf305b95f94c7a9504c53c7f2dc8068e647a326d95976b7f4d80433b2284506fc5e3bb9a80a4e9a9889540bbf92908dd39ee4eb25f2566fe9ab37b4dc9a7c09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
488B

MD5
0ea5308000299c3d33386edae3949a64

SHA1
a092cb1be0a44b67b993258d23619c79b910caf4

SHA256
2b563f041ca61883c44fc9600d4e71fe988bc42116796d2d5d0075c8f945aefa

SHA512
03238c580c7c0f2cc70d32f5e2cb11963d50ba7b35b9ffbc67b0ac779fe882c9bd2374ae86680e952ecc0397f7821af242ac4e4c34cfda4949c854364c766752

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eac38aaa4bda4b498d508df3cef72abe

SHA1
8032fc26e0e4b91a3125a207716f8ba4066e6b3d

SHA256
c5177e79ad6e21d26344cc560198ff9fd8d68b252a76db1c545454d656b004c3

SHA512
23f34e0ea1664103205e1b07ef2e52a1a6358ac69db8119240ecb54add3e400c8530c19191eb7e5eb08de2f04a3b95ff9d69450a41ef4a46c4e82f281215d18d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e05072beb0f8fdf39981e02b49be8978

SHA1
38612df16508c87690e63fd434ee7a685b294b20

SHA256
e6d1244af06974ef6852b801d83d87d4b1f393bbe4d15cfb090a083b17a1108d

SHA512
78f0f4345bf2204fcc330618a35ddcca0a9e439cc91f36aa91a03eecb2c3e9a8e37043a7cf39d29f82ec4758454c2adc6ec7afe0880b8dbe611ec79f0c09500c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
624381316938dc7d0d36deb735c8e96c

SHA1
5168b4108001362241183f1989803026314c240a

SHA256
b6c886e217d58e798aeaa233ac0a525d31db0ac31fc78f53d8f3b5eae6fe6b79

SHA512
2d46b15947f41e267195efd52c1d3d2c66f4e392e6185896d5f1d0298c37e6a3548e4cb10fe0ea8bec14c16c3652e9c84ba6843ff7ffd0df2eb9911c34af7427

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
468767a9224e83dffada9ad40defea00

SHA1
f8710f0abe51075a625fdfdb8323d2f995e06488

SHA256
0e25e3a76e78b7121288ad06c6f063f5e9256ba4d515b8806f5824116aabcf02

SHA512
2d6b8669ddb43cf5ba0d36ea2f5ee4f07347904d1740e7ec83866c7115d91de1bb3a54a073be4538951f1b95660cddc585c964b12a8e9c1e00af235fddbb68ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81e3a1aa9ad0f84d3f3d0705e548a775

SHA1
b0d2c3456f5de75aaf0b4dca27bafef1b4c958f4

SHA256
6fd9a23d28ef21cb6a9b518a5128e6da5138c5290b43cbf7d52606852e031a53

SHA512
512221162126b91525524dffa3858a508bc2ea08908b05bfa48365c86d26246c09002abf609f1bb6554b5ff1ffb3d96715c66babc873eb2eae2a808d1d345903

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
2a73fdb5e108bbf61181d8b6f81c9731

SHA1
dfcfc2edb796fff9c993d605109e957cf3e051f7

SHA256
28b4fb6dac0d9c7ef62ded2a515d096de361436e8922e2941ac918c353f6458a

SHA512
0920549d22af8c788ab99035b9ed34cd41c16bc333be2d29f6913a662d483808e897fc6431eccd3f010935a4a1c57a7ecce9bb097d4ba00a16bb85d568d7e03c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_87080482E227A81FEA3DE5A553C20422

Filesize
476B

MD5
d6bc7cdb09d4b798900e21f2f8247988

SHA1
7f6ea889c6819fc779810c5d5ccc4f61f563fd1d

SHA256
70526087b805ee55602745f417aa23f91d1a6ebf8af6d40ef3b347ea240d6078

SHA512
0ea6130ae603ca536552371ee91b93b124c0fe751f9fefca736da6e1c4830fe65b1f6ec323bfa7de956e58203308422987f65943d77bf9172758d063ec14b142

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD

Filesize
306B

MD5
f9e0b23b864ed8de68ca518d1b749d43

SHA1
ec0bd3cce2cca69b8f4b6123159e0c40a9a19f55

SHA256
e5f293204caf23816257541ad0b1bbe0e67fffc7ca73bd6d523b9bf9ea6b9ad8

SHA512
5bf80f30ae744383b6cc8367e5e2bea74780f92ca706c669f451131832dad22195da647c508f753d6b2242606101f4b91a6518183250b4991826d67f7e6fdecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar17A.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqpF23B.tmp

Filesize
5.0MB

MD5
a53853573e9a383aa8a028b59a189d7e

SHA1
1e26bae50634b0fed0cc7fd6082bdbe7cdb04414

SHA256
d2cc9ce0fb6ff073c493fcd32e7384c303604a419bb92db15cf5362c39e9a029

SHA512
a2a770f37d44839b024e8b40630627edc4763db7f6bd145431b55283ec328613bae699f8ca3ef11b4bc47e061025f2223dfc0b94d66268d1c32c711c17208079

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1102348866

Filesize
12B

MD5
f6349e391ae68752dac3bb67e49948d4

SHA1
f8b0add2810d48d5a6e934cfff741e3c267cc6fb

SHA256
0ab0310d7e7148f687fd341e298d8429d5f680152fea7e62e12cb4d9b928ea67

SHA512
a03a2202d72dffadd6f169d7347ec1882000bb3545f5460d32ba152a6a0ddb4c31b01181f46ce0b1e40974d2482bdaa7d7e1d9ebc5f7edf7ee896ed12738c8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1386517656.csv

Filesize
347B

MD5
1fbb078c5c105ea4af91c0583d67e103

SHA1
47f4e461eb43092cc090e89dea26999383a9c3bb

SHA256
3a1c30a7aa11816a66f581906c944aa6797451350c80d9bd43e934b98c07a099

SHA512
8ef489949c0c784c4e9e5cfe1cab3d2fb73c93ec56bf9703aa92730caf302961bc7eb6c9973dc343a82b506e138caabf18f676028340691cf0d7ee09a7dcb9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1400758481.exe

Filesize
975KB

MD5
cc6fe70941a288634532ee999f133f33

SHA1
62de5dd97e2aafe521c8463287b08e5bf8c54def

SHA256
c50d3f139bc7ed05fb0f5e25671ec0268b577d5930f27964291cc8747970f2c3

SHA512
1fe494fe8fb10ea792c96b2dcce3e6339a082fbf2897a88c663cf937bf47c0e6ecab42311b7535ed41f81ea840bf4107f666f3b39f7df97a70e05a3dcc572aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2914104867\LECmd.exe

Filesize
4.7MB

MD5
10e26753f3e1b6d9bc43d48776da1672

SHA1
fee7dbfcd10f3a78e4a6322a3c8a4cec2a2cfc7c

SHA256
94bc3f3cfb747e74147209d9e63c4b50cdbb141b4901fa95fcd30cac3764c91e

SHA512
523510dc92ffa11885874a4234bf245ef6d5d5f6596a7bac4eb6b1c3ab74e2de63cdf7719cdda2f84faa90c4d6fcda11b47478f7e503c8226f65949334c3b350

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2914104867lecmd\results.csv

Filesize
81KB

MD5
9ab09542b6659fcf70093e05ce32c8d2

SHA1
36020fe3d7f94fe012c394e0c6a67bebd5905100

SHA256
4c4db3d308f2189038033497e6969c48fad044ae782cb6e66165cf63bf3e3754

SHA512
f7394747585239d47fbe76b0c661df7e707b78adc36eca28d7d995fac97a88b4fe1712fbb03f88478fb406460d890a94c5c5f9a890cb2c7b290b1def6f519bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3587844254.exe

Filesize
4.2MB

MD5
030360a2cdbba7df39a7c2698b78ff73

SHA1
0f36bdec0a6603a53107065614182e6f44e3e7d3

SHA256
30d2e6dd472d5c55047852b6302b29d070d0da301d11990e5ba57f46bd69edfd

SHA512
143d294624a25a7a39784b788b6ce4c3367eb774140043c68ca35a9ce96d74cec44191a5ab3df94a3c95406e2639c61fa892625bf68bf58f0a89b0fdbc561c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3711787888\20240417150644_AutomaticDestinations.csv

Filesize
4KB

MD5
3ed2b7bf605fe5b0c247d0adecaba5a4

SHA1
737a5ba87895f5d9d1f2ff650e3834a83e67afc1

SHA256
b6184dc700f9759cb369f978408b5def343a991d993bf735eaaffba4cf08bd5b

SHA512
46817792976a4da12886986ec2bfb9188f6de1dd30d808186e6e7aa567f6de9f61c7be3b62f1115b26c4a8da491e3988e2c62f9d7ffb4fee87f71cf39d86fe68

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3711787888\20240417150645_CustomDestinations.csv

Filesize
9KB

MD5
81317bfa99f0b199a204b09ca9120c89

SHA1
b46006241fcce4343597d8b93ca2c56909fec461

SHA256
be40228f10ba4dd3e0f11ebb44abc723f8b04b708b67c2c5cf965a51cd8503f7

SHA512
da533d7754d1f81c00d864a6f4df2c20d601fcc4901ccf222d4013a8bc61e48e6ce31e5d7bdfcae1787f585568798ac62ee554152005a9ce581d55b9029cf596

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4055270546

Filesize
73B

MD5
5bcb317f086d0652479705c477ad01c9

SHA1
9947e06ce9914f8310ada53f0015f379366301b9

SHA256
c782b68c7878166c0d278cc524e934bf4f7de056c3812400e2b7b582a51ec20f

SHA512
db389792292b5f304b846f22f5a6aaf21d0f0e3c7a84083d5066b4d5126a81fa5353fce55b3e150c3811d8fd734fe1612d4b893b0ae43720892c052ea6a00093

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp67761587

Filesize
5B

MD5
c146a7a9edbe218b6ed3bcb62ec4ad24

SHA1
2808ac9ccb1acdcf5aff036d0f71f86fd51d13e9

SHA256
f067985d352d2da6dfaef4844a66d06c5371ecbd9530a4d195ac599fef8b3427

SHA512
4f275042bf4bd0401f7a6b3e89f69818958ce8ef5fee2fc5bb9152c232479cdd9ed471d09099ec3dd20f321c5dbbbdcd8f920783edc68eace705fdd2dd10463a

Download Submit
memory/1368-160-0x0000000002370000-0x00000000023D2000-memory.dmp

Filesize
392KB

Download
memory/1368-146-0x000000001B1C0000-0x000000001B2C0000-memory.dmp

Filesize
1024KB

Download
memory/1368-164-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/1368-873-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1368-869-0x000000001BF40000-0x000000001BF6E000-memory.dmp

Filesize
184KB

Download
memory/1368-151-0x000000001B360000-0x000000001B3E0000-memory.dmp

Filesize
512KB

Download
memory/1368-868-0x000000001BDF0000-0x000000001BEAE000-memory.dmp

Filesize
760KB

Download
memory/1368-867-0x000000001B310000-0x000000001B348000-memory.dmp

Filesize
224KB

Download
memory/1368-841-0x000000001B360000-0x000000001B3E0000-memory.dmp

Filesize
512KB

Download
memory/1368-320-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/1368-321-0x00000000024C0000-0x00000000024E6000-memory.dmp

Filesize
152KB

Download
memory/1368-322-0x000000001AC80000-0x000000001AC88000-memory.dmp

Filesize
32KB

Download
memory/1368-343-0x000000001B080000-0x000000001B0B6000-memory.dmp

Filesize
216KB

Download
memory/1368-342-0x000000001ABD0000-0x000000001ABEE000-memory.dmp

Filesize
120KB

Download
memory/1368-344-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/1368-345-0x000000001B9C0000-0x000000001BA6A000-memory.dmp

Filesize
680KB

Download
memory/1368-346-0x00000000024A0000-0x00000000024A8000-memory.dmp

Filesize
32KB

Download
memory/1368-99-0x0000000000340000-0x00000000007EE000-memory.dmp

Filesize
4.7MB

Download
memory/1368-389-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1368-118-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1368-144-0x0000000000880000-0x00000000008A8000-memory.dmp

Filesize
160KB

Download
memory/1368-147-0x00000000008D0000-0x000000000090C000-memory.dmp

Filesize
240KB

Download
memory/1516-374-0x0000000002390000-0x00000000023C6000-memory.dmp

Filesize
216KB

Download
memory/1516-355-0x00000000002E0000-0x000000000071A000-memory.dmp

Filesize
4.2MB

Download
memory/1516-357-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1516-356-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1516-359-0x000000001B4D0000-0x000000001B550000-memory.dmp

Filesize
512KB

Download
memory/1516-358-0x0000000000890000-0x00000000008A4000-memory.dmp

Filesize
80KB

Download
memory/1516-376-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1716-347-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/1716-156-0x000000001B6B0000-0x000000001B7AA000-memory.dmp

Filesize
1000KB

Download
memory/1716-350-0x0000000000DE0000-0x0000000000E10000-memory.dmp

Filesize
192KB

Download
memory/1716-143-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1716-349-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/1716-351-0x000000001BAF0000-0x000000001BB86000-memory.dmp

Filesize
600KB

Download
memory/1716-148-0x0000000000160000-0x0000000000174000-memory.dmp

Filesize
80KB

Download
memory/1716-116-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/1716-115-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1716-67-0x0000000001120000-0x000000000155A000-memory.dmp

Filesize
4.2MB

Download
memory/1716-348-0x0000000000B10000-0x0000000000B46000-memory.dmp

Filesize
216KB

Download
memory/1716-353-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1716-163-0x000000001B160000-0x000000001B23C000-memory.dmp

Filesize
880KB

Download
memory/1716-149-0x0000000000180000-0x000000000019A000-memory.dmp

Filesize
104KB

Download
memory/1716-166-0x0000000000600000-0x000000000061E000-memory.dmp

Filesize
120KB

Download
memory/1716-150-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2556-860-0x000000013F260000-0x0000000142A5F000-memory.dmp

Filesize
56.0MB

Download
memory/2556-862-0x000000013F260000-0x0000000142A5F000-memory.dmp

Filesize
56.0MB

Download
memory/2556-865-0x000000013F260000-0x0000000142A5F000-memory.dmp

Filesize
56.0MB

Download
memory/2556-866-0x000000013F260000-0x0000000142A5F000-memory.dmp

Filesize
56.0MB

Download
memory/2556-145-0x000000013F260000-0x0000000142A5F000-memory.dmp

Filesize
56.0MB

Download
memory/2556-861-0x000000013F260000-0x0000000142A5F000-memory.dmp

Filesize
56.0MB

Download
memory/2556-864-0x000000013F260000-0x0000000142A5F000-memory.dmp

Filesize
56.0MB

Download
memory/2556-870-0x000000013F260000-0x0000000142A5F000-memory.dmp

Filesize
56.0MB

Download
memory/2556-388-0x000000013F260000-0x0000000142A5F000-memory.dmp

Filesize
56.0MB

Download
memory/2556-840-0x000000013F260000-0x0000000142A5F000-memory.dmp

Filesize
56.0MB

Download
memory/2556-871-0x000000013F260000-0x0000000142A5F000-memory.dmp

Filesize
56.0MB

Download
memory/2556-904-0x000000013F260000-0x0000000142A5F000-memory.dmp

Filesize
56.0MB

Download
memory/2556-905-0x000000013F260000-0x0000000142A5F000-memory.dmp

Filesize
56.0MB

Download
memory/2556-906-0x000000013F260000-0x0000000142A5F000-memory.dmp

Filesize
56.0MB

Download