revengerat | baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
Size

2.1MB
MD5

5d8b1d0b165e6c4b4d78bcf52fb99570
SHA1

01a30b1390af9daf7d24a6f7a9e28ee883d5b2ee
SHA256

baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8
SHA512

8b0508add284eb79bae3432225aad66759329b31dc5258dbbf76c1a7b0c7f847cbc10a51134348ccbdec74b84367cab855c3172d31916c9837965dd1bfe35695
SSDEEP

49152:PhxkP/I9K3pr4ZCOz5xLmKot5C7UzaxVlHAlImt4+O5XK2v0uV+w:AoQ3V4IGxLmKK4PA6E1GXzM4

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/files/0x0009000000015db6-36.dat	revengerat

Executes dropped EXE 37 IoCs

Processes:

winvnc.exeETConnectServer.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exe

pid	Process
2872	winvnc.exe
2608	ETConnectServer.exe
2600	winvnc.exe
956	ETConnectService.exe
2728	winvnc.exe
2868	ETConnectService.exe
2820	winvnc.exe
2944	ETConnectService.exe
2512	winvnc.exe
640	ETConnectService.exe
2732	winvnc.exe
2648	ETConnectService.exe
776	winvnc.exe
2568	ETConnectService.exe
1628	winvnc.exe
2100	ETConnectService.exe
2788	winvnc.exe
1792	ETConnectService.exe
1080	winvnc.exe
1836	ETConnectService.exe
992	winvnc.exe
2968	ETConnectService.exe
2352	winvnc.exe
1160	ETConnectService.exe
1132	winvnc.exe
1080	ETConnectService.exe
2184	winvnc.exe
1224	ETConnectService.exe
348	winvnc.exe
2664	ETConnectService.exe
1920	winvnc.exe
1132	ETConnectService.exe
1648	winvnc.exe
2996	ETConnectService.exe
1552	winvnc.exe
3016	ETConnectService.exe
2320	winvnc.exe

Loads dropped DLL 7 IoCs

Processes:

baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe

pid	Process
2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 26 IoCs

Processes:

ETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe

Drops file in Program Files directory 20 IoCs

Processes:

baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe

description	ioc	Process
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\logmessages.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\SecureVNCPlugin.dsm	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\Whatsnew.txt	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\workgrpdomnt4.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\authadmin.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\authSSP.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\ldapauth.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\logging.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\Readme.txt	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\uvnc_settings.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\vncviewer.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\License.txt	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\MSLogonACL.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\MSRC4Plugin.dsm	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\SCHook.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\uninstall.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\vnchooks.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

winvnc.exenet.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exenet1.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exebaacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
behavioral1/files/0x0005000000018697-32.dat	nsis_installer_1
behavioral1/files/0x0005000000018697-32.dat	nsis_installer_2

Modifies data under HKEY_USERS 64 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ETConnectService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ETConnectServer.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	ETConnectServer.exe

Runs net.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exewinvnc.exenet.exe

description	pid	Process	procid_target
PID 2376 wrote to memory of 2872	2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe	31
PID 2376 wrote to memory of 2872	2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe	31
PID 2376 wrote to memory of 2872	2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe	31
PID 2376 wrote to memory of 2872	2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe	31
PID 2872 wrote to memory of 2884	2872	winvnc.exe	32
PID 2872 wrote to memory of 2884	2872	winvnc.exe	32
PID 2872 wrote to memory of 2884	2872	winvnc.exe	32
PID 2872 wrote to memory of 2884	2872	winvnc.exe	32
PID 2376 wrote to memory of 2608	2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe	34
PID 2376 wrote to memory of 2608	2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe	34
PID 2376 wrote to memory of 2608	2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe	34
PID 2376 wrote to memory of 2608	2376	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe	34
PID 2884 wrote to memory of 2852	2884	net.exe	35
PID 2884 wrote to memory of 2852	2884	net.exe	35
PID 2884 wrote to memory of 2852	2884	net.exe	35
PID 2884 wrote to memory of 2852	2884	net.exe	35

C:\Users\Admin\AppData\Local\Temp\baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
"C:\Users\Admin\AppData\Local\Temp\baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
  "C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -install
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\net.exe
    net start "uvnc_service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "uvnc_service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
- C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe
  "C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2608

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2600

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:956

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2868

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2944

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:640

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2732

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2648

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:776

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2568

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2100

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1792

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1080

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1836

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:992

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2968

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2352

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1160

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1132

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1080

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1224

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:348

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2664

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1920

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1132

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2996

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3016

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe

Filesize
49KB

MD5
ba106429ad90a831e33c3f5446c59162

SHA1
837c576971ec4f6bdfbefe80437370f1a10100a0

SHA256
49734852249278a7c2fc2e39a6e1a501f1606b9e7696c281ff4e4a5c15df1ed5

SHA512
1e823216918d9e583d7046a111f3b3828f65e193254263cac29ed320b119150ad9492f134c6233e03b19ca7a2e2a4aeda4f45c01b4ac114cafff4f9361f68d46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45741749127c3f60f2db26f80fd6618d

SHA1
7ee772d51046884c1192e2d6345f6f0d9428bb2d

SHA256
e6b17203a2442656c75772ffdb5e85dc75949e91d337616ad390da09234f5ef9

SHA512
91deb7e5eab4c8f2ad93256ac9dad222de2daba4057c36ff43cdbe245ea05fdc2bcc1ffcaa9c287f68b7ac20caee0c3b9aaef3544c35701f2588f82f04d080fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF5E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF80.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f11929218adf7db61de903b89f17b71

SHA1
a289ca0fcf2885a427132db67e6abb850a982134

SHA256
8d7bc9a629b2fc9ea15de835e710f6afdf050feeb1b12ef67217709f988c7d61

SHA512
ff53e4a6a5aed39f4293f38ebf2e7bf7e7e62929142f5c72ad11ec7aaffb0983c01a6e89ac398c0b6a4c2582d70c1f31f617d68f635a3cd0c37c33c803e825f1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
edfa66f51e1655a173a2062abbda8d68

SHA1
ff942bbc92fe14617acf1c4ecd7db43145d19e20

SHA256
6033a20e86ffdaa8c072f22ac037c39c41f45b206ff515c5071fbfa15db70d04

SHA512
06cd0968a788e2bb81c168f57626a0eae88372ad37c662ca32fb5f642e78d687198ac8311b5564eb3ff9b8e42ba3dd1329a85704da761a6a5ad5be3ec81885b3

Download Submit
C:\Windows\Temp\Cab1DFE.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404

Filesize
69KB

MD5
4c71921ced037191a0b4b046432fde49

SHA1
60ef1c18a77f63b879abaea9810521b2c7c13e1a

SHA256
3ef4d6b9a223700a6a93d387d18c8702e41349ed051b897484535e1b219323a3

SHA512
133b3064c3195847c8239bfc85700d9cd1655b212d16907c3c0d2a06b65ecbe4502d013086956ddfed3299f591b8296a83a96571242cf6f183c4cdf85422d490

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F

Filesize
1KB

MD5
b4f5d09d84faaa81ef56990cea7fc099

SHA1
c560e4dec80c548c6c958fdc680dd9fd5839b793

SHA256
4c7aee76da0c9b36857c410e93e0d01867993c53a65c42c75531a54bc3a02a86

SHA512
67857e61df1388dc03f770858eddeedd54ed9d75d094296f494d43fe2af9f4847bc4a7cbe29f09ac4c053b423a4c42f5e350660d04ff317170d7cd70ae2699f1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404

Filesize
300B

MD5
f87f060d5d97088e087352fc20b1cc3d

SHA1
da91b34779dfdf9c6b175b9f7118e5f23a4ed030

SHA256
11e3760831e3f4ad634dd9985ccca3394d1b78e53cba6a868bf8d1c530a10f13

SHA512
5ea5655bae94f712103ea281c82e95d4cc6c14eb0a0d6ffcf988461c7f3e376a9a26e8250b84ca837df1910a338a815e69b181020b433a197942b92be5bf077b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1691c0460ada499c4e8234c427f047ce

SHA1
96562f965ff7244702d2c2105345ffb288c8f4e8

SHA256
101eb66cd0c447add74fcad0277229f1d0b2c870fb9261a04f2eeb1c03f70d82

SHA512
2e0145011331efdcea046b1227e4816dbdcaa676fe70241e264c653573c072b18e3e54f63636ea3d7a2df43c217425dcf9cab3a38ad8ed35f6f63053cebf0be1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f43f38acf49472b9536089db5b7a3780

SHA1
f13c5ba254e36e383242d21d643206f64998dd63

SHA256
833117440d12248b717935e2c2bbcb9257ec3045d4f40862e2a00d51ba4eeb24

SHA512
e9fc6c0d6751083e5f43206470697d4aed6737c6fd8455b94494d66c2bebdf9b865b12a978f61fd67e42addd50c373b28f93dd02cf72f85ce6385f886e5b0335

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9212b59608a3bf6f8954c664e985da49

SHA1
7876a3196e61f8ff055650195cb4585554071f0b

SHA256
527e47cd9eee9dafe0b44ab9fb3fc48fe2acda29388badcd61db9b9f21d362d8

SHA512
6baadbeb98b4e406a25fd21afc0915dc384ddcc5d6aec3c9f7755bf4831a732c71a9e8e49bd1dcbbc0fb8f8a04f902338f975ce31a23ca51a3c3e6605bffa105

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3708e0fb35d82977a1a7df08015414c

SHA1
b61c47c8d04a0bb2b03632c7b369e1a1d66a4694

SHA256
0b6dbeb945fde086e05430524cf8a11430d228abd41c132132579ceba31de5c6

SHA512
3f66631b7f18c4006e7b3ef82c7b2897203ff1aa10ac637ecbfbcac0fd87a5fdc36c3e7355005048ff5817b3d0008c5416918adecf31076957e0e105a2e55959

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3488ecdb6ae74cb7a14842a3ab7e2e48

SHA1
3170e10a7033ce81afd8a9325159e420d2a570bf

SHA256
7011693a3cd595d37a34e61ad59bbc8097aa2fae27284f697b4d360245bb0462

SHA512
e8a7a5b4e48d148b25f0fb9af5123f8317457917f1dfca24cc876f200854e5d190658f115c52bdb4e3ba159dee5e0e49b607748d8133760d32149c6cff433493

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d7bfcb14c445b772354ab5187c19cb0

SHA1
5d4999a6c9cc5957b93af5665dcac59c7e94004e

SHA256
798d2bff0a6271e74bf3c75402f20c6fe8f0114be32e949afbcf7e80d98a1d04

SHA512
033a40a893c41ef589fe32a8b0f242a4920002989e1ddae3372f9ebf33f2363b9edb3e94e2691b694be60fe2bfe87b1c8209fe9dcf80126ebb4e1bfedac0bf47

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
776c24f6a5dbd045ba7ed482bb930336

SHA1
6b023890e753a038904804f7afa616745d923794

SHA256
be26a3f7c9df3aead4df10de27ada6454ac344689c37507f8642db0f6020b329

SHA512
1e223526291d4f57375d29cbe734cd02e37959ee575e2809b003db3c94c09d6c8e89fb260e5cdb3ec64ae662ad6affc6b69684d9d005eee9da4ccede06ff7e99

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8120fe14bb8ea6468eb7ba6f48d1f9ed

SHA1
e537a25e26b8bd34742cd5813da8ce658bd31ba1

SHA256
69340436827ececd6a6975892eb71d6c38d01701ee13fe5b8e16909627fa4bad

SHA512
4f38fb6740d22a09e270031038a0d1b5e5d84a051851a17b46a732ad0abf87f2ca5eb38f6505e353176bd13067cd0e15ce7bebadbc800270fac174df0bb95f20

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
687ef45451662589a7981b7367602d71

SHA1
cdff08a861f855288bde8d1cafb420d0e16d3707

SHA256
e5244c1ec2e1e4fbf4d25f9b601be76bef224d278e9eea5157058e386582451c

SHA512
2dc7619efd28952b321e457cbbefe62914db7bc009717bbe4c961eebbaef5a01a12e5454747c68e76acf9b29b8f86b20c4c3ac272a2cd52272f7d8723c4e6f65

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2097e4635b31cc2c3c6695ffb6c82df

SHA1
85da210dfbb9756c1f6977629bf9d6ce0571421e

SHA256
2cbb616b7548d2d24b433e3bf9cd0edf1a52d1665233f68485414f5af05ccf57

SHA512
a56282d27cec5b221a6e8492b368398761b3de61e724c52483214243c7837274c6bd8a63125b1ff44473f2cb39da5843409f59a9d9b1281a64ab8b1657f78419

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ba48d65c61c1b434ddf37fe20f6b0a3

SHA1
879de1d122bb79c19922b1d0183cdbd89749bf80

SHA256
0ae22abded5c13464e59255a61cacb71fb540f42e06f0d60e5509b289b41044f

SHA512
f571c90cd631010ad17a2d5376dbc761bc2835e466172e2090b723b7c0a654e1cae2d3019816ea06f021a259d70d29d693e088ccda714bbb4870e75d1f056bc9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8268d6a025cf71e342ba5da1009a80e7

SHA1
9d26603d827fb62edd3223c266b3b8336d469f61

SHA256
e0cc9109fae2cddc6149757caf0e31e4730ddc9955afe4f104e14e9088ab0aa5

SHA512
fa99456d5921f91646755744435fcd0a87abae06e8efaad7ab25e6b120733d56e62ce57cfef93c48c31aaaf4ef14448919f20c2604a1016a07dca4c76d5073c8

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
823c39c2c291dd665e4a016415c3b570

SHA1
b3b60da5af0db3b150cd1affd0a3a9b4594d150f

SHA256
5d59ccd81b6310d823fc0700d5333fee03c282d85c80420edfac2832d5f669ac

SHA512
e8cf1fde6db80cb861e2fd738ec26c1052f11dc87385b615e3fc844bc8fdba0c4479f5d38bbebad42243e9d29a87e3b0cffc14e77d59b0068082ae58fd3c4d6e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
562a838add019cd3d91050d25468d0d6

SHA1
0a876ffc74742c5b2b7a2677c5ac1e9f49cbf6bd

SHA256
8d83068cd71a7ff39c8047d253e94eb7dfb0dfaef958bb6df92a7f64adaff49a

SHA512
b7031d3fc5344806e382a9f9c6d1fa00a42deb853ace502898cd1555fd4999ed3807542e5710da2a1c5d38cb6160bafe542d3d6d784d42d83eb11064550e49c2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F

Filesize
500B

MD5
cdd6fb8fdd49e3b9b39b2c83d368c7f3

SHA1
bdfb2ebc38b5176b60e7987de6b6ba6f328c010e

SHA256
2e9a05f94d5597928dd368b29a04f59bd2fee320e3c24b61c5ec7d52159afd9e

SHA512
4ff25ad86214f09a29c7102595b5f85d316a9e60a909de660133e2b6a33eb80352a576dcb3df87585b6f9d3f7ec4d0235da048bf8ab4837b2b031828085637ac

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017

Filesize
400B

MD5
20eaff5ba52b4dbd2a498aba68d5884c

SHA1
790dd24adf27a8c504833bb7b6a313009ec1304a

SHA256
71bb4df9de39975bd03436e48a02d0ed49f426a152277d81bcbac596a9b09ae7

SHA512
7e87403ffe8a096938102d6e69fdb8826a9511a08d3da5c9e60923d3b781db90e2ba34476bfb433f7c410b2898e331aed05da000a8e201f85c75a75cbeacd271

Download Submit
\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe

Filesize
99KB

MD5
4986a56019bc459b3ab0c76d4cc12261

SHA1
48f308ec91d6d07e71a859d72c344ffaf232be92

SHA256
7417554d18b5a59936d83e96c7f83d3d030fa1ed0f70faa36099ba1bc309588a

SHA512
6aebf45b020b68c10d802cfebc8088a7194af4733c5f8c98c90eb16cfe3ca47764e50b0a565bf41033f3893b048dc339148c309057cc2698f3ced71a26d35804

Download Submit
\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe

Filesize
1.7MB

MD5
c77e369fcb8a75659035978e415e00a1

SHA1
0b58b5593a2718941828a9cd779fe1e7afc758a6

SHA256
f7d380fe1107d8fcc825bae0722da16293aabac259f49f1463fd8926be6dd353

SHA512
2753a751899e8fea977157c426200900d835cb0b63fa5b3f653545387a9658bc079f516f8326674f2b1d5479ad1a0af61f5d251b8dc95d17d5a723f49172ddfd

Download Submit
\Program Files (x86)\ExecuTech\ETConnectServer\uninstall.exe

Filesize
92KB

MD5
868a941db98bdc0e5a886818d73a3881

SHA1
fe305c2a2d6a0f7863e395b44c3713bb273b9d44

SHA256
8e96347d00d379e42cffd00d771b22a8dd96a0d426d50473374f99e65b343391

SHA512
ceeab3d6fa68c911ff96a5be3ca904f3e558b1bacf6b7b5eb60fa2a351ec196e54700305f13576f7f1b98cc259f6f925ac4a590a4276e847bdd97aeb742e54dc

Download Submit
\Users\Admin\AppData\Local\Temp\nst5BC.tmp\SimpleSC.dll

Filesize
59KB

MD5
52aaf305fba84b5107c453424df1864e

SHA1
9887f4bd7458e1a7724b90256c073492843841a7

SHA256
f41f1173b9d367bb6a085ff0b19d1273fc0b7dad32fedbb69b07240cfc9950c8

SHA512
9a05e7a2f62956bc46d2257496256606f40e7e78ca6199a80f5945f609e4c049a92c03d7b44d301a854a0bce32ff100ff6aa2b66d4fed649c2d90de95875dced

Download Submit
memory/2376-23-0x00000000022E0000-0x00000000022F3000-memory.dmp

Filesize
76KB

Download
memory/2608-50-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/2608-313-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download