quasar | 537a88d2c2c8cee418e6b1da94d655caa0ece2beb6c04fe1f96aeb199d87eded

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Paypal cracker.exe
Size

6.6MB
MD5

5627dd16f023b8be51ed365d2fb6fee5
SHA1

fcccce747bf6c824233cfda366798fa0467d3daf
SHA256

2e2f6fe5b310d843656af43b60c0faddf6eb0f329efc8353272437db44b5f247
SHA512

e475f903d2afd4c1b985f368f77610270df54bb8207130f6339e59595777718cfadadbb732775523a11aa035cbbf3c6d81896a33d84b40f6c01f182a1654f637
SSDEEP

98304:xRlI+LjNr86mjj/UYviu26bbyKS2myX0rPpIh1KcV:xRlVmj72wblTmyEpG17V

Score

10^/10

quasar venomrat windows security discovery persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

quasarrat220-24487.portmap.io:24487

Mutex

VNM_MUTEX_mOPqShedZxvAqgLrWL

Attributes

encryption_key
7mvA2TfKjvMIY0zZeMKF
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x00070000000193b3-27.dat	disable_win_def
behavioral1/files/0x000500000001a075-44.dat	disable_win_def
behavioral1/memory/2600-145-0x00000000009D0000-0x0000000000A5C000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000193b3-27.dat	family_quasar
behavioral1/files/0x000500000001a075-44.dat	family_quasar
behavioral1/memory/2600-145-0x00000000009D0000-0x0000000000A5C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Venomrat family
venomrat

Executes dropped EXE 9 IoCs

pid	Process
2692	systemsvc.exe
2792	systemkvc.exe
2588	Checker.exe
1940	PAYPAL.EXE
2600	WINDOWS SECURITY.EXE
1792	6D9F65649A3.exe
2512	96822CC.exe
2588	WINDOWS SECURITY.EXE
1396	WINDOWS SECURITY.EXE

Loads dropped DLL 15 IoCs

pid	Process
2264	Paypal cracker.exe
2264	Paypal cracker.exe
2588	Checker.exe
2588	Checker.exe
2792	systemkvc.exe
2792	systemkvc.exe
1792	6D9F65649A3.exe
1792	6D9F65649A3.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1852	cmd.exe
1200	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\ABE5B91FAADB3479221132\\ABE5B91FAADB3479221132.exe"	systemsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\4Y3Y0C3AUA2J5H2YL = "C:\\Services\\6D9F65649A3.exe"	96822CC.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1676	2600	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDOWS SECURITY.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PAYPAL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDOWS SECURITY.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6D9F65649A3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96822CC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemkvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Checker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2284	PING.EXE
2060	PING.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0"	96822CC.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PhishingFilter	96822CC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	96822CC.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery	96822CC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0"	96822CC.exe

Modifies registry class 56 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	PAYPAL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	PAYPAL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0"	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f44471a0359723fa74489c55595fe6b30ee0000	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	PAYPAL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000	PAYPAL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	PAYPAL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	PAYPAL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	PAYPAL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	PAYPAL.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2284	PING.EXE
2060	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	systemkvc.exe
2692	systemsvc.exe
2792	systemkvc.exe
1792	6D9F65649A3.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2588	WINDOWS SECURITY.EXE
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe
2512	96822CC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1940	PAYPAL.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2692	systemsvc.exe
Token: SeSecurityPrivilege	2692	systemsvc.exe
Token: SeTakeOwnershipPrivilege	2692	systemsvc.exe
Token: SeLoadDriverPrivilege	2692	systemsvc.exe
Token: SeSystemProfilePrivilege	2692	systemsvc.exe
Token: SeSystemtimePrivilege	2692	systemsvc.exe
Token: SeProfSingleProcessPrivilege	2692	systemsvc.exe
Token: SeIncBasePriorityPrivilege	2692	systemsvc.exe
Token: SeCreatePagefilePrivilege	2692	systemsvc.exe
Token: SeBackupPrivilege	2692	systemsvc.exe
Token: SeRestorePrivilege	2692	systemsvc.exe
Token: SeShutdownPrivilege	2692	systemsvc.exe
Token: SeDebugPrivilege	2692	systemsvc.exe
Token: SeSystemEnvironmentPrivilege	2692	systemsvc.exe
Token: SeRemoteShutdownPrivilege	2692	systemsvc.exe
Token: SeUndockPrivilege	2692	systemsvc.exe
Token: SeManageVolumePrivilege	2692	systemsvc.exe
Token: 33	2692	systemsvc.exe
Token: 34	2692	systemsvc.exe
Token: 35	2692	systemsvc.exe
Token: SeDebugPrivilege	2792	systemkvc.exe
Token: SeDebugPrivilege	2792	systemkvc.exe
Token: SeDebugPrivilege	2792	systemkvc.exe
Token: SeDebugPrivilege	2792	systemkvc.exe
Token: SeDebugPrivilege	1792	6D9F65649A3.exe
Token: SeDebugPrivilege	1792	6D9F65649A3.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2600	WINDOWS SECURITY.EXE
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2600	WINDOWS SECURITY.EXE
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2588	WINDOWS SECURITY.EXE
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe
Token: SeDebugPrivilege	2512	96822CC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1940	PAYPAL.EXE
1940	PAYPAL.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1940	PAYPAL.EXE
2600	WINDOWS SECURITY.EXE
1940	PAYPAL.EXE
1940	PAYPAL.EXE
1940	PAYPAL.EXE
1940	PAYPAL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2692	2264	Paypal cracker.exe	30
PID 2264 wrote to memory of 2692	2264	Paypal cracker.exe	30
PID 2264 wrote to memory of 2692	2264	Paypal cracker.exe	30
PID 2264 wrote to memory of 2792	2264	Paypal cracker.exe	31
PID 2264 wrote to memory of 2792	2264	Paypal cracker.exe	31
PID 2264 wrote to memory of 2792	2264	Paypal cracker.exe	31
PID 2264 wrote to memory of 2792	2264	Paypal cracker.exe	31
PID 2264 wrote to memory of 2588	2264	Paypal cracker.exe	32
PID 2264 wrote to memory of 2588	2264	Paypal cracker.exe	32
PID 2264 wrote to memory of 2588	2264	Paypal cracker.exe	32
PID 2264 wrote to memory of 2588	2264	Paypal cracker.exe	32
PID 2588 wrote to memory of 1940	2588	Checker.exe	33
PID 2588 wrote to memory of 1940	2588	Checker.exe	33
PID 2588 wrote to memory of 1940	2588	Checker.exe	33
PID 2588 wrote to memory of 1940	2588	Checker.exe	33
PID 2588 wrote to memory of 2600	2588	Checker.exe	34
PID 2588 wrote to memory of 2600	2588	Checker.exe	34
PID 2588 wrote to memory of 2600	2588	Checker.exe	34
PID 2588 wrote to memory of 2600	2588	Checker.exe	34
PID 2792 wrote to memory of 1792	2792	systemkvc.exe	35
PID 2792 wrote to memory of 1792	2792	systemkvc.exe	35
PID 2792 wrote to memory of 1792	2792	systemkvc.exe	35
PID 2792 wrote to memory of 1792	2792	systemkvc.exe	35
PID 1792 wrote to memory of 2512	1792	6D9F65649A3.exe	36
PID 1792 wrote to memory of 2512	1792	6D9F65649A3.exe	36
PID 1792 wrote to memory of 2512	1792	6D9F65649A3.exe	36
PID 1792 wrote to memory of 2512	1792	6D9F65649A3.exe	36
PID 1792 wrote to memory of 2512	1792	6D9F65649A3.exe	36
PID 1792 wrote to memory of 2512	1792	6D9F65649A3.exe	36
PID 2512 wrote to memory of 2792	2512	96822CC.exe	31
PID 2512 wrote to memory of 2792	2512	96822CC.exe	31
PID 2512 wrote to memory of 2792	2512	96822CC.exe	31
PID 2512 wrote to memory of 2792	2512	96822CC.exe	31
PID 2512 wrote to memory of 1940	2512	96822CC.exe	33
PID 2512 wrote to memory of 1940	2512	96822CC.exe	33
PID 2512 wrote to memory of 1940	2512	96822CC.exe	33
PID 2512 wrote to memory of 1940	2512	96822CC.exe	33
PID 2512 wrote to memory of 2600	2512	96822CC.exe	34
PID 2512 wrote to memory of 2600	2512	96822CC.exe	34
PID 2512 wrote to memory of 2600	2512	96822CC.exe	34
PID 2512 wrote to memory of 2600	2512	96822CC.exe	34
PID 2600 wrote to memory of 1700	2600	WINDOWS SECURITY.EXE	39
PID 2600 wrote to memory of 1700	2600	WINDOWS SECURITY.EXE	39
PID 2600 wrote to memory of 1700	2600	WINDOWS SECURITY.EXE	39
PID 2600 wrote to memory of 1700	2600	WINDOWS SECURITY.EXE	39
PID 2600 wrote to memory of 1852	2600	WINDOWS SECURITY.EXE	41
PID 2600 wrote to memory of 1852	2600	WINDOWS SECURITY.EXE	41
PID 2600 wrote to memory of 1852	2600	WINDOWS SECURITY.EXE	41
PID 2600 wrote to memory of 1852	2600	WINDOWS SECURITY.EXE	41
PID 2600 wrote to memory of 1676	2600	WINDOWS SECURITY.EXE	43
PID 2600 wrote to memory of 1676	2600	WINDOWS SECURITY.EXE	43
PID 2600 wrote to memory of 1676	2600	WINDOWS SECURITY.EXE	43
PID 2600 wrote to memory of 1676	2600	WINDOWS SECURITY.EXE	43
PID 1852 wrote to memory of 1604	1852	cmd.exe	44
PID 1852 wrote to memory of 1604	1852	cmd.exe	44
PID 1852 wrote to memory of 1604	1852	cmd.exe	44
PID 1852 wrote to memory of 1604	1852	cmd.exe	44
PID 1852 wrote to memory of 2284	1852	cmd.exe	45
PID 1852 wrote to memory of 2284	1852	cmd.exe	45
PID 1852 wrote to memory of 2284	1852	cmd.exe	45
PID 1852 wrote to memory of 2284	1852	cmd.exe	45
PID 2512 wrote to memory of 1852	2512	96822CC.exe	41
PID 2512 wrote to memory of 1852	2512	96822CC.exe	41
PID 2512 wrote to memory of 1852	2512	96822CC.exe	41

C:\Users\Admin\AppData\Local\Temp\Paypal cracker.exe
"C:\Users\Admin\AppData\Local\Temp\Paypal cracker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Roaming\systemsvc.exe
  "C:\Users\Admin\AppData\Roaming\systemsvc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Users\Admin\AppData\Roaming\systemkvc.exe
  "C:\Users\Admin\AppData\Roaming\systemkvc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Services\6D9F65649A3.exe
    "C:\Services\6D9F65649A3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\96822CC.exe
      "C:\Users\Admin\AppData\Local\Temp\96822CC.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer Phishing Filter
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2512
- C:\Users\Admin\AppData\Local\Temp\Checker.exe
  "Checker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\PAYPAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\PAYPAL.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE" /rl HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\uy5yOVqTV7F1.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2284
    - - C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tEpQvHWYjaSO.bat" "
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE"
        7⤵
        Executes dropped EXE
        
        PID:1396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1448
      4⤵
      Loads dropped DLL
      Program crash
      PID:1676

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Services\47B2B8B1239598F

Filesize
34KB

MD5
6a172fdb857f0ac1921efc443e407e7d

SHA1
9401bd19abe0750b866625107f146c1cf55c75b8

SHA256
ab3adcd792f9526fc8634b1de30773d74becadaf056c8d3b1aeee1641f4d640b

SHA512
195a632b76a2a19227cbd1364b810148764c6e5b94971d3e34f93e83d38d410d122db52671a9ebca4087e0216361c6e54db7f959a83832cb5ca2d769cec04ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\96822CC.exe

Filesize
3KB

MD5
29090b6b4d6605a97ac760d06436ac2d

SHA1
d929d3389642e52bae5ad8512293c9c4d3e4fab5

SHA256
98a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272

SHA512
9121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Checker.exe

Filesize
5.9MB

MD5
3425a9f00842bf28a0bafc5c1571b881

SHA1
3009eca32bcf159981d37a8620836b1d215aa33e

SHA256
7328321fccd71cfda94a18656158ce54b0e3a0831d48f46f559b442a33a1790a

SHA512
868b816f376a3bc38d24850808eb5410e4037acedd0849ad73868065525444a4cca54e3484d5ac0b14523217f3d6da24fc6132942632653439f0ea5310084bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE

Filesize
534KB

MD5
9e14775490cee79c73cb45c2f24f7a73

SHA1
ddd6c7485a5e64a66a0a7598777abdafa7a63950

SHA256
d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e

SHA512
1c0aec61a64400bcf18f6f0e5a950c68b7a25492b07290e3793a759f616c1b361ed6472d260d0f379b691567216a1f9e53af53b2dc89711df618a4463c8d0317

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEpQvHWYjaSO.bat

Filesize
213B

MD5
19736a966ca9e3de86dbd578fe432f16

SHA1
f507603f438840d7eaa5b598556e509040a62d03

SHA256
e835deb76665287f0cc77378c22357ce8ab0c43ea7b2e8b2b9e0fb6d56a1c0a9

SHA512
af68a86157db93d008362c7076a35383b558966b25a6b25170b90c9c66d3581e3bf4cefce65ca9a534486c11f4ab470bca1ae77743c96ed40d32b125c5c73b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uy5yOVqTV7F1.bat

Filesize
213B

MD5
bb2f78e149da47536fade0d0b4de8fd3

SHA1
46ac8d07a9766c02e6d3e25d9a309b7954c239a5

SHA256
0e8089114db000862261c18c4088a1991f15881c5925ec32d595ae7a786d15c1

SHA512
86f224cf62dfb097e7c0ae2e5184ddf2e81d5a739728df85ae3cba2382fdb22498e7e4db6e25645538f9a337438c7d037df1baf21aac0dca31bbd1fdc9901d1c

Download Submit
C:\Users\Admin\AppData\Roaming\systemkvc.exe

Filesize
355KB

MD5
33ed3913ea48a41363644e37261fddc2

SHA1
f52b405849a5bcffa792ee44643c7d6c9db9044f

SHA256
3859cde03ca6389bb5973e274ab9da5b51b9593a319e1b16330225b2aea8bd63

SHA512
1b4c87215b7da10166ddfc9a9f214a8fc4292905517f4632fea937fd5aff83f8cec3c99cf15dac0d6d34f0a180b592e2f3fc8346e6aa52bcf064c396b547e053

Download Submit
C:\Users\Admin\Desktop\New Text Document.txt

Filesize
11B

MD5
fc0fd331f06f178f1784b3ac10d55be9

SHA1
a4055329129f29983175460f2040a1044f52e404

SHA256
686d730989029fa82d827e3af80ce673ed16673363c6353a408b930a2f23b977

SHA512
98ea91beb8c38de34f543f2c1162d60ecb0b6bb620802c80b4c0495b1309b0893e198a8360ce9ae0db4b1dbc28572423930b5efeb0f8624480fac4686daa111c

Download Submit
\Users\Admin\AppData\Local\Temp\PAYPAL.EXE

Filesize
5.3MB

MD5
341b34b571af06277c2f3b4156bd86df

SHA1
ba120240400cc6dcf0e92e732d4f460f3763102b

SHA256
9a579053ee79c9ee45e29ac1887aba8cb87936c01026b5f3d830456547adc441

SHA512
2cbb482d2e087e18b7461c9a317aa249adf12821de17d6dd59f3c17e01394047df31e875a551d23d32a64a46f8db46003c2feced7e967dd159bc65d3bff76e66

Download Submit
\Users\Admin\AppData\Roaming\systemsvc.exe

Filesize
299KB

MD5
5d5392e5c3edac5337a75692f75b4c8e

SHA1
80b9f25c4162e69fc24a5a056e2c3fc029b68f02

SHA256
e7c8df1d1cf7e5abf9c6c025ee99acad9ce907d5f584bb38c5eeb32706251109

SHA512
15141c710c41ff75b23b8b406d91b105dcfe5bb8819ae067baf1d2383a599e081ce14c978bdae151129352ccb096cd587e4ab1bf4f0995c284907e606ed66227

Download Submit
memory/1792-71-0x00000000013C0000-0x000000000141C000-memory.dmp

Filesize
368KB

Download
memory/1940-403-0x0000000000400000-0x0000000000B2B000-memory.dmp

Filesize
7.2MB

Download
memory/1940-39-0x0000000000400000-0x0000000000B2B000-memory.dmp

Filesize
7.2MB

Download
memory/2512-97-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-107-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-73-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2512-68-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2512-74-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2512-91-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-88-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-78-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2512-77-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2512-92-0x00000000007A0000-0x00000000007B6000-memory.dmp

Filesize
88KB

Download
memory/2512-75-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2512-98-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-99-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-117-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-116-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-112-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-111-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-110-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-109-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-93-0x00000000007A0000-0x00000000007B6000-memory.dmp

Filesize
88KB

Download
memory/2512-94-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2512-95-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-96-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-108-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-113-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-114-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-115-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-100-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-101-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-102-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-103-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-106-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-105-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2512-104-0x000000000BB50000-0x000000000BBA2000-memory.dmp

Filesize
328KB

Download
memory/2588-37-0x0000000003790000-0x0000000003EBB000-memory.dmp

Filesize
7.2MB

Download
memory/2600-129-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2600-124-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2600-131-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2600-130-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2600-125-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2600-126-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2600-127-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2600-128-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2600-119-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2600-120-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2600-145-0x00000000009D0000-0x0000000000A5C000-memory.dmp

Filesize
560KB

Download
memory/2600-123-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2600-122-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2792-45-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2792-53-0x00000000013C0000-0x000000000141C000-memory.dmp

Filesize
368KB

Download
memory/2792-46-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2792-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2792-175-0x00000000003F0000-0x000000000044C000-memory.dmp

Filesize
368KB

Download
memory/2792-19-0x000000000047E000-0x000000000047F000-memory.dmp

Filesize
4KB

Download
memory/2792-20-0x000000000047E000-0x000000000047F000-memory.dmp

Filesize
4KB

Download
memory/2792-22-0x000000000047E000-0x000000000047F000-memory.dmp

Filesize
4KB

Download
memory/2792-18-0x00000000003F0000-0x000000000044C000-memory.dmp

Filesize
368KB

Download