revengerat | dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
Size

2.1MB
MD5

0083bb621656471496f60d1973318730
SHA1

2d0209b0f14a8279efd85589dfb33b9b31fab77e
SHA256

dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93
SHA512

178833c13dee9466e2c8123280fb203c07b13831b1711d4687ce8495c28f1160c7a893c9a5d6a6874d6f44c1c21e5fb571221824248f13f9bfc3f08f61f3d28e
SSDEEP

49152:PhxkP/I9K3pr4ZCOz5xLmKot5C7UzaxVlHAlImt4+O5XK2v0uV+g:AoQ3V4IGxLmKK4PA6E1GXzM4

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000a000000023b8b-45.dat	revengerat

Executes dropped EXE 37 IoCs

pid	Process
4876	winvnc.exe
452	ETConnectServer.exe
4956	winvnc.exe
4592	ETConnectService.exe
3304	winvnc.exe
432	ETConnectService.exe
1896	winvnc.exe
60	ETConnectService.exe
3988	winvnc.exe
2996	ETConnectService.exe
944	winvnc.exe
3128	ETConnectService.exe
3848	winvnc.exe
844	ETConnectService.exe
3608	winvnc.exe
4880	ETConnectService.exe
2616	winvnc.exe
1720	ETConnectService.exe
5076	winvnc.exe
3952	ETConnectService.exe
2844	winvnc.exe
2532	ETConnectService.exe
2920	winvnc.exe
760	ETConnectService.exe
3432	winvnc.exe
4408	ETConnectService.exe
1544	winvnc.exe
4404	ETConnectService.exe
4660	winvnc.exe
4864	ETConnectService.exe
2504	winvnc.exe
4988	ETConnectService.exe
2448	winvnc.exe
508	ETConnectService.exe
4456	winvnc.exe
2020	ETConnectService.exe
3836	winvnc.exe

Loads dropped DLL 4 IoCs

pid	Process
4164	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
4164	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
4164	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
4164	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017	ETConnectService.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\ETConnectService.exe.log	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\Readme.txt	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\vnchooks.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\vncviewer.exe	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\ldapauth.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\License.txt	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\logging.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\MSLogonACL.exe	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\SCHook.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\uvnc_settings.exe	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\authadmin.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\logmessages.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\workgrpdomnt4.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\SecureVNCPlugin.dsm	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\Whatsnew.txt	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\uninstall.exe	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\authSSP.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\MSRC4Plugin.dsm	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	ETConnectServer.exe

Runs net.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 4876	4164	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe	96
PID 4164 wrote to memory of 4876	4164	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe	96
PID 4164 wrote to memory of 4876	4164	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe	96
PID 4876 wrote to memory of 4556	4876	winvnc.exe	97
PID 4876 wrote to memory of 4556	4876	winvnc.exe	97
PID 4876 wrote to memory of 4556	4876	winvnc.exe	97
PID 4164 wrote to memory of 452	4164	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe	99
PID 4164 wrote to memory of 452	4164	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe	99
PID 4556 wrote to memory of 760	4556	net.exe	100
PID 4556 wrote to memory of 760	4556	net.exe	100
PID 4556 wrote to memory of 760	4556	net.exe	100

C:\Users\Admin\AppData\Local\Temp\dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
"C:\Users\Admin\AppData\Local\Temp\dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
  "C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -install
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\net.exe
    net start "uvnc_service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "uvnc_service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:760
- C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe
  "C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:452

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4956

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4592

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3304

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:432

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:60

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3988

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2996

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:944

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3128

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3848

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:844

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3608

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4880

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1720

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5076

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3952

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2532

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:760

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3432

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4408

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1544

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4404

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4660

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4864

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2504

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4988

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2448

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:508

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4456

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2020

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe

Filesize
99KB

MD5
4986a56019bc459b3ab0c76d4cc12261

SHA1
48f308ec91d6d07e71a859d72c344ffaf232be92

SHA256
7417554d18b5a59936d83e96c7f83d3d030fa1ed0f70faa36099ba1bc309588a

SHA512
6aebf45b020b68c10d802cfebc8088a7194af4733c5f8c98c90eb16cfe3ca47764e50b0a565bf41033f3893b048dc339148c309057cc2698f3ced71a26d35804

Download Submit
C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe

Filesize
49KB

MD5
ba106429ad90a831e33c3f5446c59162

SHA1
837c576971ec4f6bdfbefe80437370f1a10100a0

SHA256
49734852249278a7c2fc2e39a6e1a501f1606b9e7696c281ff4e4a5c15df1ed5

SHA512
1e823216918d9e583d7046a111f3b3828f65e193254263cac29ed320b119150ad9492f134c6233e03b19ca7a2e2a4aeda4f45c01b4ac114cafff4f9361f68d46

Download Submit
C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe

Filesize
1.7MB

MD5
c77e369fcb8a75659035978e415e00a1

SHA1
0b58b5593a2718941828a9cd779fe1e7afc758a6

SHA256
f7d380fe1107d8fcc825bae0722da16293aabac259f49f1463fd8926be6dd353

SHA512
2753a751899e8fea977157c426200900d835cb0b63fa5b3f653545387a9658bc079f516f8326674f2b1d5479ad1a0af61f5d251b8dc95d17d5a723f49172ddfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA190.tmp\SimpleSC.dll

Filesize
59KB

MD5
52aaf305fba84b5107c453424df1864e

SHA1
9887f4bd7458e1a7724b90256c073492843841a7

SHA256
f41f1173b9d367bb6a085ff0b19d1273fc0b7dad32fedbb69b07240cfc9950c8

SHA512
9a05e7a2f62956bc46d2257496256606f40e7e78ca6199a80f5945f609e4c049a92c03d7b44d301a854a0bce32ff100ff6aa2b66d4fed649c2d90de95875dced

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404

Filesize
69KB

MD5
d5e6defaad50f11e32da8fa8a39ffe95

SHA1
f4f2cb83dab549ff39ec598cbb815971665f7530

SHA256
2038cdd54cc377f811d3b11a8256163e0f0df21b66cae82bbd4941809a9ef5c7

SHA512
0389844b180b9f0d53696bcd69fd30793e64742c70c7f7097e482fa4d0760f1946d4fe0c674695f7cfba646ea046b1d0396dca62ecd0d22f2f63759670b80e25

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F

Filesize
1KB

MD5
4bb5de919803c626b842db0b6274363d

SHA1
d037b69859c962e2ce774fa918f2db3f570f2142

SHA256
ae2ca8ab288f108444fab761c9a66b22eb817f2345a205cd99ab1b29b8a73b4f

SHA512
e435abf141fe4b182fecad68020d53cc848494ec1b2da09293a1b361e3770a605fd7cbece89211b0e4efe6b906c451536819d41c0253f8bb37d5a8826be3ac21

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404

Filesize
300B

MD5
7e9f09de023ed67992651429f9d2fd26

SHA1
76966e30e7a4500ff2bb735df4e9d9455226fdba

SHA256
5fd0a663a27173064a4d50581583db057609491a47f7b16e28085a87c8f8eaa5

SHA512
f9dc619a9330fe5654aa3cb4c96ddf92bf610ff05f7b4502c72e0d295261ec90ef2f68837d1683c3f55061d7bd4d0952872950776159e8acd054c04b670c47c4

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
df0105495a059296efb6e66fa19ff4ea

SHA1
aa34e7642a363adf69a387a9736e2bdb67a0b0a4

SHA256
04e3467784afbcf64b16dbfc6ea190a0b31c64bca87cc66ed77d082e80f446c1

SHA512
900fc3094da290835906c4c6b2ed495d4790c10da7b7ee1b976088dce6e299b26d270b0d136c51f90c03e9c7b90f85ccdceebb75b43d13da54199ffbec3c14af

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
8a80d912dfd5d77555b828c47f7676cb

SHA1
2c95b8f2411059fa18c0dbb707d5b3496b835d49

SHA256
6c34ab906869e76fd9ce013c29f20cccf451199f5a29a951dd53bceedffaa2fd

SHA512
5c015fe245610ace9f967136e2a1d1c868ebb7377284fd1a590d9b971aa8893d9e854f9f8bfd6a52c4a016f19bc380e287b222161c9c84e02c9e8854aac4a49d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
7214df227acbd1d4afb08cf7c71ca650

SHA1
a6d8c7b61837d4afd1d1787486619a8ffb99b2a2

SHA256
ba63a3db30ee0baf2d52a1edace5936d07011572546e26e01a9ee4bc689dcaf5

SHA512
0f47de5c109ad78b35e685495b761a3528b47bdb416111b6334cdf7c7e10b983a7ccae2488650ef4080339d16e76d01b31df1bc155a4075c187dfe2a94dba301

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
24f4dac5f74a0bba7616bf7071795e2e

SHA1
25381c38a64ab64bbb9bb6937b53fe0eb3e838a1

SHA256
7e373c1ee62df0e0d69aa7f157f003a2aa2717d4ff6a1b3becfb032c39159b93

SHA512
e8cfd1adecd2e230edde78510101d14904185d83d8711eefa87098bee89fecbb39503cf22ef9c312853a1d73266c18b6173f0385139e2f0e56d4c42d748fcb6a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
af4df7b4619d39340454100631b9431f

SHA1
041ae35cfdc406ef8b5c579eb1b565fe31f38cc9

SHA256
a42165016f8d0da2eb4c8adf7a18735e74838b2cd3f9f6d03c53c1d9ce30f4af

SHA512
6709a33e47f912aa83c35b6280884fdded691cd8b85a74e05696fef6d02f19da4967eb0cda06dadbc1ec0b7c095a1b96e1aefb901e0c56177973146a8c381aa9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
ad5aef0a1b1f96e6708c8f1554d973a6

SHA1
f525aa897741968834a34b274307be7328708015

SHA256
d85654a5b4419e91d76fc5ee94b9bd95e241daae22264fea0ad993c502d9ba86

SHA512
26f19f2aa2c26ef6df3bd75c17dcb2e9bbea837bfe5a23154f841d0a044272b9e96de428bd29e9e8d074ee48663efcd9ad7db7a486428f712e2c239c08f4a5a0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
b3298223743641971d080eb9cd63256f

SHA1
cef5d3dfa726bc38fefcb53a2a2aa03654c42fba

SHA256
6cc490eb570a0dab195e6e4495f4ad8acaf0a0dfc05f2ba101141e3513f1358b

SHA512
9af932284781632e00e054a18ba84105612892f88a4f55560d01706616d09173fb909d264ec5f5190f62f768143a536200e3201b3c7fcc9d3d3632c16a4fecfd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
3ab2a090bd0f060a0018c74dcadb2060

SHA1
8742c726627dbd4bb45e69da2bff5b12374b4bb8

SHA256
1399248f9628d42b6b54126aecebfb2b8d24a68a393dd4fc62fb8f81fe3d9074

SHA512
01d78ef02322f47588bc34a85a9f2adc32d6b71dd106db05951df61db774e8c3f11f5cb173e632bdb0472d07446d9e77a24a3b0b78939aed7dd32859cb249d24

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
5f2bc1c8f8c4f6d91f63efd71758f4e7

SHA1
1eda1e5dbe96e3198442fa8febc455eb7799acc0

SHA256
dbbd3997a35930fa23ad43d18deeaf67a84e49bd106c01f92e4e9358092ed665

SHA512
af007790e291c902acb6ed3363bc258063ccb526ed4e8bc16067e09998306be7b74ea9c013341f15cef4afc1f7659e8a9b201d25f1494c8935f7b6e37ea2e377

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
bbcadc5165a3d1a0d208fa867167e526

SHA1
4cf3b623fe6ad07fc203cfa7edaa542790ac83f0

SHA256
2f8d9f856b560db7e0b69a059d59c2c12628814e40384144cd6b9bdf8ccfee1a

SHA512
eab64f01f8affb87fb49eef72c507a98e0d8673cde45fe2c0858a110954dd954583b8f52d5b87af955383492c5194938c8c6e5e8a342f67a199d23da1abca9c1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
cb0507e238b67cf3c193c6e981e02384

SHA1
bb934f77ef0e7bd4e045ea69cb0928775bb7989c

SHA256
2d1317bc1b260ad598f3de3acc80dd39cefbb71c5e71096933c194f83fdfe7e6

SHA512
924574249a50c0cd668bdd546ae6b632cedab797b37f672a0e094f83ae73b6e28ea97061dd7d1e94545ced81e38779dc574c1ee371ed5b2dc0cbdf95ee8b131a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F

Filesize
500B

MD5
eb1b8d7f8487b8cfa6dca820aa7ac272

SHA1
68a1ee5e8d7c37523e623d46bc423c1cc76c63aa

SHA256
8d60a209b32ce134849d2712ecc5f68dc966fcc2b9ff9197f56901e9291183cc

SHA512
b6c4a7d3bd570d2109a9201cd2194890e5cf390455b5e6161afbc2fa76432f64e602e6555d544dc8450a67636bad19e2c30b55b48aab2543c95e4cb5e7cd53df

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017

Filesize
400B

MD5
6ae31c1b5f6f12c7b2f1c0644fb59d17

SHA1
33073dfddca8d3af6bb61b2a5e917e78be00147d

SHA256
a99c6fa34a99ac1fdc6e5dd659e8a4dcba1c976d938b3bd352474add5acce5f3

SHA512
65648a52e31df314fe9ab680cae1e3de5fc9c8e1e86c49437f36907faf08e5ec577c64fa695ede04526a8e8b739121b50d719253b816034ccbaac8d33460fd27

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\ETConnectService.exe.log

Filesize
320B

MD5
90553a5cfae340e8f18b8cc06e384cea

SHA1
1824ddc964bebd255ee1f07616c3e8df673b1d19

SHA256
0b23f2451974f437d388d15ab2b71d2aae4772fc94ab60f7b69f60b4362324e1

SHA512
7889d3585c01399ebe9fd2ed9bdffef09741fc7693601b0cb0f4ae1f02d3729803c10e0754939ddb8cd33791c3b27eacc29b7ba4a7e83609b6ded281237bfb3b

Download Submit
memory/452-75-0x000000001C7A0000-0x000000001C846000-memory.dmp

Filesize
664KB

Download
memory/452-113-0x00007FF91E470000-0x00007FF91EE11000-memory.dmp

Filesize
9.6MB

Download
memory/452-108-0x00007FF91E470000-0x00007FF91EE11000-memory.dmp

Filesize
9.6MB

Download
memory/452-107-0x00007FF91E725000-0x00007FF91E726000-memory.dmp

Filesize
4KB

Download
memory/452-80-0x000000001EC90000-0x000000001ECB0000-memory.dmp

Filesize
128KB

Download
memory/452-79-0x000000001D380000-0x000000001D3CC000-memory.dmp

Filesize
304KB

Download
memory/452-78-0x0000000001560000-0x0000000001568000-memory.dmp

Filesize
32KB

Download
memory/452-77-0x000000001D290000-0x000000001D32C000-memory.dmp

Filesize
624KB

Download
memory/452-76-0x000000001CD20000-0x000000001D1EE000-memory.dmp

Filesize
4.8MB

Download
memory/452-50-0x00007FF91E470000-0x00007FF91EE11000-memory.dmp

Filesize
9.6MB

Download
memory/452-49-0x00007FF91E470000-0x00007FF91EE11000-memory.dmp

Filesize
9.6MB

Download
memory/452-47-0x00007FF91E725000-0x00007FF91E726000-memory.dmp

Filesize
4KB

Download
memory/4164-24-0x00000000049D0000-0x00000000049E3000-memory.dmp

Filesize
76KB

Download