revengerat | baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
Size

2.1MB
MD5

5d8b1d0b165e6c4b4d78bcf52fb99570
SHA1

01a30b1390af9daf7d24a6f7a9e28ee883d5b2ee
SHA256

baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8
SHA512

8b0508add284eb79bae3432225aad66759329b31dc5258dbbf76c1a7b0c7f847cbc10a51134348ccbdec74b84367cab855c3172d31916c9837965dd1bfe35695
SSDEEP

49152:PhxkP/I9K3pr4ZCOz5xLmKot5C7UzaxVlHAlImt4+O5XK2v0uV+w:AoQ3V4IGxLmKK4PA6E1GXzM4

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023ca5-45.dat	revengerat

Executes dropped EXE 37 IoCs

Processes:

winvnc.exeETConnectServer.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exe

pid	Process
1472	winvnc.exe
1464	ETConnectServer.exe
4384	winvnc.exe
4432	ETConnectService.exe
732	winvnc.exe
4400	ETConnectService.exe
1672	winvnc.exe
768	ETConnectService.exe
3988	winvnc.exe
2472	ETConnectService.exe
1316	winvnc.exe
4916	ETConnectService.exe
3132	winvnc.exe
3640	ETConnectService.exe
5068	winvnc.exe
1492	ETConnectService.exe
1468	winvnc.exe
772	ETConnectService.exe
2312	winvnc.exe
2376	ETConnectService.exe
2172	winvnc.exe
4904	ETConnectService.exe
2764	winvnc.exe
3244	ETConnectService.exe
1500	winvnc.exe
2972	ETConnectService.exe
3300	winvnc.exe
3204	ETConnectService.exe
4600	winvnc.exe
2948	ETConnectService.exe
724	winvnc.exe
2516	ETConnectService.exe
3660	winvnc.exe
2104	ETConnectService.exe
3360	winvnc.exe
2148	ETConnectService.exe
1692	winvnc.exe

Loads dropped DLL 4 IoCs

Processes:

baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe

pid	Process
2236	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
2236	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
2236	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
2236	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 41 IoCs

Processes:

ETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\ETConnectService.exe.log	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0	ETConnectService.exe

Drops file in Program Files directory 20 IoCs

Processes:

baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe

description	ioc	Process
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\logmessages.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\Readme.txt	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\License.txt	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\vnchooks.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\Whatsnew.txt	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\workgrpdomnt4.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\ldapauth.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\MSLogonACL.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\MSRC4Plugin.dsm	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\authadmin.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\authSSP.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\logging.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\SCHook.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\SecureVNCPlugin.dsm	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\uvnc_settings.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\vncviewer.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\uninstall.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

winvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exebaacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exewinvnc.exenet.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exenet1.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ETConnectService.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ETConnectServer.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	ETConnectServer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	ETConnectServer.exe

Runs net.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exewinvnc.exenet.exe

description	pid	Process	procid_target
PID 2236 wrote to memory of 1472	2236	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe	95
PID 2236 wrote to memory of 1472	2236	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe	95
PID 2236 wrote to memory of 1472	2236	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe	95
PID 1472 wrote to memory of 4624	1472	winvnc.exe	96
PID 1472 wrote to memory of 4624	1472	winvnc.exe	96
PID 1472 wrote to memory of 4624	1472	winvnc.exe	96
PID 2236 wrote to memory of 1464	2236	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe	98
PID 2236 wrote to memory of 1464	2236	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe	98
PID 4624 wrote to memory of 3436	4624	net.exe	99
PID 4624 wrote to memory of 3436	4624	net.exe	99
PID 4624 wrote to memory of 3436	4624	net.exe	99

C:\Users\Admin\AppData\Local\Temp\baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe
"C:\Users\Admin\AppData\Local\Temp\baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
  "C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -install
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\net.exe
    net start "uvnc_service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "uvnc_service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3436
- C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe
  "C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1464

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4384

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4432

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:732

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4400

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:768

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3988

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2472

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1316

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4916

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3132

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3640

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5068

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1492

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:772

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2376

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4904

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3244

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1500

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2972

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3300

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3204

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4600

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2948

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:724

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2516

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3660

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2104

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3360

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2148

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe

Filesize
99KB

MD5
4986a56019bc459b3ab0c76d4cc12261

SHA1
48f308ec91d6d07e71a859d72c344ffaf232be92

SHA256
7417554d18b5a59936d83e96c7f83d3d030fa1ed0f70faa36099ba1bc309588a

SHA512
6aebf45b020b68c10d802cfebc8088a7194af4733c5f8c98c90eb16cfe3ca47764e50b0a565bf41033f3893b048dc339148c309057cc2698f3ced71a26d35804

Download Submit
C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe

Filesize
49KB

MD5
ba106429ad90a831e33c3f5446c59162

SHA1
837c576971ec4f6bdfbefe80437370f1a10100a0

SHA256
49734852249278a7c2fc2e39a6e1a501f1606b9e7696c281ff4e4a5c15df1ed5

SHA512
1e823216918d9e583d7046a111f3b3828f65e193254263cac29ed320b119150ad9492f134c6233e03b19ca7a2e2a4aeda4f45c01b4ac114cafff4f9361f68d46

Download Submit
C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe

Filesize
1.7MB

MD5
c77e369fcb8a75659035978e415e00a1

SHA1
0b58b5593a2718941828a9cd779fe1e7afc758a6

SHA256
f7d380fe1107d8fcc825bae0722da16293aabac259f49f1463fd8926be6dd353

SHA512
2753a751899e8fea977157c426200900d835cb0b63fa5b3f653545387a9658bc079f516f8326674f2b1d5479ad1a0af61f5d251b8dc95d17d5a723f49172ddfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBFB7.tmp\SimpleSC.dll

Filesize
59KB

MD5
52aaf305fba84b5107c453424df1864e

SHA1
9887f4bd7458e1a7724b90256c073492843841a7

SHA256
f41f1173b9d367bb6a085ff0b19d1273fc0b7dad32fedbb69b07240cfc9950c8

SHA512
9a05e7a2f62956bc46d2257496256606f40e7e78ca6199a80f5945f609e4c049a92c03d7b44d301a854a0bce32ff100ff6aa2b66d4fed649c2d90de95875dced

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404

Filesize
69KB

MD5
4c71921ced037191a0b4b046432fde49

SHA1
60ef1c18a77f63b879abaea9810521b2c7c13e1a

SHA256
3ef4d6b9a223700a6a93d387d18c8702e41349ed051b897484535e1b219323a3

SHA512
133b3064c3195847c8239bfc85700d9cd1655b212d16907c3c0d2a06b65ecbe4502d013086956ddfed3299f591b8296a83a96571242cf6f183c4cdf85422d490

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F

Filesize
1KB

MD5
b4f5d09d84faaa81ef56990cea7fc099

SHA1
c560e4dec80c548c6c958fdc680dd9fd5839b793

SHA256
4c7aee76da0c9b36857c410e93e0d01867993c53a65c42c75531a54bc3a02a86

SHA512
67857e61df1388dc03f770858eddeedd54ed9d75d094296f494d43fe2af9f4847bc4a7cbe29f09ac4c053b423a4c42f5e350660d04ff317170d7cd70ae2699f1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404

Filesize
300B

MD5
19ca464aa3a462e58ff3ede410f8068f

SHA1
4782c0314f56be47b3a91db149d4b69f7a99f5ce

SHA256
5e8c61bcb106ec9c6b105142e0b693d652f724cda72cccaf01e3b0888483595f

SHA512
668de2652cab93f8bf9b9719593ee0035a4cf5dc5aa7cd06de3ff873a77f3868a0a3bd19691ff1c8b2b85060bdfd8dbff5630ef5b739787f6285c55ed688da1e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
e15fe5e8d4a374e7930ed3c9ac2354a5

SHA1
ec8f423a9227704e98e0e23f560e85423e2bc491

SHA256
d1e6b534026cc196029e6802b0a3bbde02eff39a2bcac99949475486d1cb83b9

SHA512
f9f35ea933bbed231a0fdb7b7bd5b4159f9eed39afe4ea260e6610af834eafa7c64c7959d3dd72162641278fbe121c714c786d83c478a3f577fbecc67aeed66f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
177386fcff36d5f6dc4088799d7e26f5

SHA1
0f16342ea582e27a076944171881750e92fa9e2d

SHA256
96dcdcbbc34c795ce8d61626908904cb258a28b7124a8f0f251470e30d90adeb

SHA512
168d8d5258af220c8160ca8e4733dee2fa6435170a722286ef8c3a60254f0f422d4e21736603a44a85c829b80b470e4991d5ad5711d1921d2d9fc647a98db2f3

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
efb9ba19d0ea96b8b14745139215c71e

SHA1
b0e4cf9104cf0a245b7290dc51f2fe76c993720e

SHA256
c593d2eb14829c0b2dc91b7a2f0a606cde833896f7dffa298dd7cf93d88c44e1

SHA512
c968f9bd78f4de4ead4ab670b05d08830144b6a4ff3a55280e3df48003a72eb1dc76d4dbd014af73660169b023bde0a50188bc8d1ca3c70a02fac63426e265d2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
4eabe881fe5b4288d5b4a9860740cacc

SHA1
9a5820a3729cb34b2892913d75e96d8294c72f52

SHA256
07775f11205fbdd21a6e2c037fbc239e0bd37529183e5e0f7d0dafe49a5e307b

SHA512
da08a3aee68d954a5951f2e82671d04c1ba5a67a65cf130f0b52bb6a4e8b4147057336cd487d69a17bd4836f011ba2a2398a5a7a3c1f89fcd6aaa675472685c0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
820c0ae3b63857c01172e4d33c8fb03c

SHA1
fcef3a48edc89178b0907ddad3b021198ba74684

SHA256
b286cfeb555bb5904921fde9135b82e57d36872b113eae5eb02297164d8cb28c

SHA512
c6d6ae2e86ec30bea9d45569a6a5f4fdfeea3db4d7bcfaea04c108cafe8dd8e4b7080fdd7dedf2327ec3d1d6bb07cff6d053dcf014e1a699f8d93b9f8e3506f0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
d4e3b7fde94a76c177d8084bca9de05a

SHA1
86b47c4f352d1d673d13f44043f6ef315f92df38

SHA256
eeae073f993679e12afe2b1b91edd6e97eddb4dfb43a4af2783222ef75381aae

SHA512
1e880c51afe5d4e398f0fb0b4b6848f923cd6ebd22b521162f6386fa445aaae6d1af1a3e866441557579650a087d34d005863582cb3cd1c561a251b78eb1451e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
d6562ab4d2a8d6cb1e286d934a594b5e

SHA1
ecd57c320d515f9b17462e60e33dbb499bc3f21f

SHA256
a4a73ae885ad3ad5c67d62b5988795e5b686bc0a35f255cda530cc47570950d3

SHA512
55bf4b1c79a009f0f5e9659650c8363c14955f396d1a3d2a6f3a67f083b832e03c977e22462ae06a3f776bb6a47eb648dafff26bb661b787977a13cc3fa14350

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
955921e4bde3d712235c03080f686689

SHA1
53f5e599e094c136395da6e34d75f16214b0adcd

SHA256
b3d82c5d4d62ece3afe44851ff078eee3eb7c2b34a4d8518f8ceeab2775f698d

SHA512
a5d52316226a5bfd22c290bc0fa2bd8587624a6db69e6419376afed596ed4d969fbc191a17ada7ab9615f8211ec4f2cb17091fcb3fe8ad321dcdcac9f0543339

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
828422009af25e9c2da99fab7206a2c0

SHA1
50b3510552c432106c56c78539d3618dc45c4797

SHA256
23011e3e91d8e6f6ebeaf7e8fa15f3d8f836cbfbcb5eb6819ee4abb68625e551

SHA512
8817b5b1ae66d4a7b3eae9426332ba2104cabad7f03ebdfb1ba2bc86a3d8ea18a3c2cb2f0a242a7557c0265437d17b0e2980bc55bb23c79a9cfd67de623d147f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
4c690a02ac1f169582f80b33499989b5

SHA1
f3f8d8c971e2d35a207d9eda969e2d6ab4e66ed9

SHA256
dc41dac3ea50047915569fea861b6cff154035639453048d1cba2ae3788109c5

SHA512
330309cf718431a72948248c7765fabbfd3c7311704380216b50e37c599d0ec78cfdf90d4492c4b070240359e971cfa5fe153a8b4c4ad82767a59dbfeab29374

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
1a6c0ce45251651937401472372cb0e0

SHA1
1471b157711b4beff0e89eaceaa6b9ea8acaf539

SHA256
d17c4c3bac78ae303841a49b15071d67ecee5604ff999522382225166e027521

SHA512
625b7b826593153f14218e226442dc8fd6511da0749c5401a704a5a98e791889bb062d66f785e4b8bee9fccdf4342cc07f1379db1a87574851c6abf9fab5cf78

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F

Filesize
500B

MD5
ae2894b2343eff3038cb4338f34c07f5

SHA1
4b3d55f730e2569d0997fce72fcd255cf69148ee

SHA256
19bf3ed8653c7a75b6e949a532c72f911222362198c2dc15ffdf123d7b3ad83c

SHA512
e2a4b817cc3cd5e952977fd0438eaf23114e08dca5681adcee15b2f1ebaee02943390404a67dc0b37ca38291c0e5b22802879ae01e70f684e851379e991ca344

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017

Filesize
400B

MD5
24b1f32399b65288a408f872dd6f4d61

SHA1
6755ef3524c8ef2fba3729f15f8b5b35ca730bc7

SHA256
ee9ead9327f6acb0f0c7cf4f8dae3fe0d970adb90ce2c4bdba12bf8a788a4856

SHA512
107bbc8712cfe6a750fef4ee66743415f35bbf29afa5929265ac3a679defa44609d29e48888bfb7f987ced5d965f410e8bba6f1fe57dc9b9729b04fec3b8baa3

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\ETConnectService.exe.log

Filesize
320B

MD5
90553a5cfae340e8f18b8cc06e384cea

SHA1
1824ddc964bebd255ee1f07616c3e8df673b1d19

SHA256
0b23f2451974f437d388d15ab2b71d2aae4772fc94ab60f7b69f60b4362324e1

SHA512
7889d3585c01399ebe9fd2ed9bdffef09741fc7693601b0cb0f4ae1f02d3729803c10e0754939ddb8cd33791c3b27eacc29b7ba4a7e83609b6ded281237bfb3b

Download Submit
memory/1464-117-0x00007FFB3FFA0000-0x00007FFB40941000-memory.dmp

Filesize
9.6MB

Download
memory/1464-107-0x00007FFB3FFA0000-0x00007FFB40941000-memory.dmp

Filesize
9.6MB

Download
memory/1464-106-0x00007FFB40255000-0x00007FFB40256000-memory.dmp

Filesize
4KB

Download
memory/1464-79-0x000000001E560000-0x000000001E580000-memory.dmp

Filesize
128KB

Download
memory/1464-78-0x000000001CBC0000-0x000000001CC0C000-memory.dmp

Filesize
304KB

Download
memory/1464-77-0x0000000000D40000-0x0000000000D48000-memory.dmp

Filesize
32KB

Download
memory/1464-76-0x000000001CAE0000-0x000000001CB7C000-memory.dmp

Filesize
624KB

Download
memory/1464-75-0x000000001C570000-0x000000001CA3E000-memory.dmp

Filesize
4.8MB

Download
memory/1464-74-0x000000001BFF0000-0x000000001C096000-memory.dmp

Filesize
664KB

Download
memory/1464-49-0x00007FFB3FFA0000-0x00007FFB40941000-memory.dmp

Filesize
9.6MB

Download
memory/1464-47-0x00007FFB40255000-0x00007FFB40256000-memory.dmp

Filesize
4KB

Download
memory/2236-24-0x00000000049D0000-0x00000000049E3000-memory.dmp

Filesize
76KB

Download