dcrat | 6983444f08941c47b17a1c0f23431f538340e0febaa5858a4afed5bb75650908

Analysis

max time kernel
141s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2022 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1889e4152e16cfe78a18739fed6fb08a.dll
Size

2.7MB
MD5

1889e4152e16cfe78a18739fed6fb08a
SHA1

5e6f4589a3006a311e02ade1384b9898f490b597
SHA256

6983444f08941c47b17a1c0f23431f538340e0febaa5858a4afed5bb75650908
SHA512

89339007911e01c6d7f24737efa92fc61d1287a31dcee2e802d381c2a9981375212b19bcc270a39a3872b1b4983eb07a4caa4cbf9fa7f6822408263346e83488
SSDEEP

49152:UnwY5UQC3ad5/iojZIphmzJAwSXX6cIOjYzxlOwtqo:yj9JAwyqKjYzxlOwz

Score

10^/10

dcrat evasion infostealer persistence rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	vupyfafuvddrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\ce233\svchost.exe = "0"	vupyfafuvddrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe = "0"	vupyfafuvddrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3976-155-0x0000000000400000-0x0000000000520000-memory.dmp	dcrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
9	504	rundll32.exe
19	504	rundll32.exe
31	504	rundll32.exe
41	504	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 34 IoCs

pid	Process
1716	vupyfafuvddrss.exe
2232	vupyfafuvddrss.exe
4168	vupyfafuvddrss.exe
4936	vupyfafuvddrss.exe
3976	vupyfafuvddrss.exe
4008	vupyfafuvddrss.exe
3484	vupyfafuvddrss.exe
3160	vupyfafuvddrss.exe
3440	vupyfafuvddrss.exe
1684	vupyfafuvddrss.exe
364	vupyfafuvddrss.exe
4644	vupyfafuvddrss.exe
1668	vupyfafuvddrss.exe
4300	vupyfafuvddrss.exe
4852	vupyfafuvddrss.exe
4052	vupyfafuvddrss.exe
3348	vupyfafuvddrss.exe
4892	vupyfafuvddrss.exe
1164	vupyfafuvddrss.exe
4156	vupyfafuvddrss.exe
544	vupyfafuvddrss.exe
3132	vupyfafuvddrss.exe
2412	vupyfafuvddrss.exe
4680	vupyfafuvddrss.exe
4896	vupyfafuvddrss.exe
4856	vupyfafuvddrss.exe
4592	vupyfafuvddrss.exe
2296	vupyfafuvddrss.exe
3576	vupyfafuvddrss.exe
3556	vupyfafuvddrss.exe
1852	vupyfafuvddrss.exe
4056	vupyfafuvddrss.exe
4456	vupyfafuvddrss.exe
4020	vupyfafuvddrss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	vupyfafuvddrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	vupyfafuvddrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	vupyfafuvddrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\ce233\svchost.exe = "0"	vupyfafuvddrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe = "0"	vupyfafuvddrss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dcf22 = "C:\\Windows\\Resources\\Themes\\ce233\\svchost.exe"	vupyfafuvddrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dcf22 = "C:\\Windows\\Resources\\Themes\\ce233\\svchost.exe"	vupyfafuvddrss.exe

Suspicious use of SetThreadContext 20 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 3976	1716	vupyfafuvddrss.exe	101
PID 1716 set thread context of 4008	1716	vupyfafuvddrss.exe	102
PID 1716 set thread context of 3160	1716	vupyfafuvddrss.exe	104
PID 1716 set thread context of 364	1716	vupyfafuvddrss.exe	108
PID 1716 set thread context of 4644	1716	vupyfafuvddrss.exe	109
PID 1716 set thread context of 1668	1716	vupyfafuvddrss.exe	111
PID 1716 set thread context of 4300	1716	vupyfafuvddrss.exe	114
PID 1716 set thread context of 3348	1716	vupyfafuvddrss.exe	117
PID 1716 set thread context of 1164	1716	vupyfafuvddrss.exe	119
PID 1716 set thread context of 4156	1716	vupyfafuvddrss.exe	120
PID 1716 set thread context of 544	1716	vupyfafuvddrss.exe	121
PID 1716 set thread context of 3132	1716	vupyfafuvddrss.exe	122
PID 1716 set thread context of 4680	1716	vupyfafuvddrss.exe	124
PID 1716 set thread context of 4896	1716	vupyfafuvddrss.exe	125
PID 1716 set thread context of 4856	1716	vupyfafuvddrss.exe	126
PID 1716 set thread context of 4592	1716	vupyfafuvddrss.exe	128
PID 1716 set thread context of 3576	1716	vupyfafuvddrss.exe	132
PID 1716 set thread context of 3556	1716	vupyfafuvddrss.exe	133
PID 1716 set thread context of 4056	1716	vupyfafuvddrss.exe	136
PID 1716 set thread context of 4020	1716	vupyfafuvddrss.exe	138

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\ce233\svchost.exe	vupyfafuvddrss.exe
File opened for modification	C:\Windows\Resources\Themes\ce233	vupyfafuvddrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
504	rundll32.exe
504	rundll32.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
3748	powershell.exe
3652	powershell.exe
1780	powershell.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
3652	powershell.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
3748	powershell.exe
1780	powershell.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe
1716	vupyfafuvddrss.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	vupyfafuvddrss.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	3976	vupyfafuvddrss.exe
Token: SeDebugPrivilege	4008	vupyfafuvddrss.exe
Token: SeDebugPrivilege	3160	vupyfafuvddrss.exe
Token: SeDebugPrivilege	364	vupyfafuvddrss.exe
Token: SeDebugPrivilege	4644	vupyfafuvddrss.exe
Token: SeDebugPrivilege	1668	vupyfafuvddrss.exe
Token: SeDebugPrivilege	4300	vupyfafuvddrss.exe
Token: SeDebugPrivilege	3348	vupyfafuvddrss.exe
Token: SeDebugPrivilege	1164	vupyfafuvddrss.exe
Token: SeDebugPrivilege	4156	vupyfafuvddrss.exe
Token: SeDebugPrivilege	544	vupyfafuvddrss.exe
Token: SeDebugPrivilege	3132	vupyfafuvddrss.exe
Token: SeDebugPrivilege	4680	vupyfafuvddrss.exe
Token: SeDebugPrivilege	4896	vupyfafuvddrss.exe
Token: SeDebugPrivilege	4856	vupyfafuvddrss.exe
Token: SeDebugPrivilege	4592	vupyfafuvddrss.exe
Token: SeDebugPrivilege	3576	vupyfafuvddrss.exe
Token: SeDebugPrivilege	3556	vupyfafuvddrss.exe
Token: SeDebugPrivilege	4056	vupyfafuvddrss.exe
Token: SeDebugPrivilege	4020	vupyfafuvddrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 504	3872	rundll32.exe	82
PID 3872 wrote to memory of 504	3872	rundll32.exe	82
PID 3872 wrote to memory of 504	3872	rundll32.exe	82
PID 504 wrote to memory of 1716	504	rundll32.exe	88
PID 504 wrote to memory of 1716	504	rundll32.exe	88
PID 504 wrote to memory of 1716	504	rundll32.exe	88
PID 1716 wrote to memory of 1780	1716	vupyfafuvddrss.exe	92
PID 1716 wrote to memory of 1780	1716	vupyfafuvddrss.exe	92
PID 1716 wrote to memory of 1780	1716	vupyfafuvddrss.exe	92
PID 1716 wrote to memory of 3748	1716	vupyfafuvddrss.exe	94
PID 1716 wrote to memory of 3748	1716	vupyfafuvddrss.exe	94
PID 1716 wrote to memory of 3748	1716	vupyfafuvddrss.exe	94
PID 1716 wrote to memory of 3652	1716	vupyfafuvddrss.exe	96
PID 1716 wrote to memory of 3652	1716	vupyfafuvddrss.exe	96
PID 1716 wrote to memory of 3652	1716	vupyfafuvddrss.exe	96
PID 1716 wrote to memory of 2232	1716	vupyfafuvddrss.exe	98
PID 1716 wrote to memory of 2232	1716	vupyfafuvddrss.exe	98
PID 1716 wrote to memory of 2232	1716	vupyfafuvddrss.exe	98
PID 1716 wrote to memory of 4168	1716	vupyfafuvddrss.exe	99
PID 1716 wrote to memory of 4168	1716	vupyfafuvddrss.exe	99
PID 1716 wrote to memory of 4168	1716	vupyfafuvddrss.exe	99
PID 1716 wrote to memory of 4936	1716	vupyfafuvddrss.exe	100
PID 1716 wrote to memory of 4936	1716	vupyfafuvddrss.exe	100
PID 1716 wrote to memory of 4936	1716	vupyfafuvddrss.exe	100
PID 1716 wrote to memory of 3976	1716	vupyfafuvddrss.exe	101
PID 1716 wrote to memory of 3976	1716	vupyfafuvddrss.exe	101
PID 1716 wrote to memory of 3976	1716	vupyfafuvddrss.exe	101
PID 1716 wrote to memory of 3976	1716	vupyfafuvddrss.exe	101
PID 1716 wrote to memory of 3976	1716	vupyfafuvddrss.exe	101
PID 1716 wrote to memory of 3976	1716	vupyfafuvddrss.exe	101
PID 1716 wrote to memory of 3976	1716	vupyfafuvddrss.exe	101
PID 1716 wrote to memory of 3976	1716	vupyfafuvddrss.exe	101
PID 1716 wrote to memory of 4008	1716	vupyfafuvddrss.exe	102
PID 1716 wrote to memory of 4008	1716	vupyfafuvddrss.exe	102
PID 1716 wrote to memory of 4008	1716	vupyfafuvddrss.exe	102
PID 1716 wrote to memory of 4008	1716	vupyfafuvddrss.exe	102
PID 1716 wrote to memory of 4008	1716	vupyfafuvddrss.exe	102
PID 1716 wrote to memory of 4008	1716	vupyfafuvddrss.exe	102
PID 1716 wrote to memory of 4008	1716	vupyfafuvddrss.exe	102
PID 1716 wrote to memory of 4008	1716	vupyfafuvddrss.exe	102
PID 1716 wrote to memory of 3484	1716	vupyfafuvddrss.exe	103
PID 1716 wrote to memory of 3484	1716	vupyfafuvddrss.exe	103
PID 1716 wrote to memory of 3484	1716	vupyfafuvddrss.exe	103
PID 1716 wrote to memory of 3160	1716	vupyfafuvddrss.exe	104
PID 1716 wrote to memory of 3160	1716	vupyfafuvddrss.exe	104
PID 1716 wrote to memory of 3160	1716	vupyfafuvddrss.exe	104
PID 1716 wrote to memory of 3160	1716	vupyfafuvddrss.exe	104
PID 1716 wrote to memory of 3160	1716	vupyfafuvddrss.exe	104
PID 1716 wrote to memory of 3160	1716	vupyfafuvddrss.exe	104
PID 1716 wrote to memory of 3160	1716	vupyfafuvddrss.exe	104
PID 1716 wrote to memory of 3160	1716	vupyfafuvddrss.exe	104
PID 1716 wrote to memory of 3440	1716	vupyfafuvddrss.exe	105
PID 1716 wrote to memory of 3440	1716	vupyfafuvddrss.exe	105
PID 1716 wrote to memory of 3440	1716	vupyfafuvddrss.exe	105
PID 1716 wrote to memory of 1684	1716	vupyfafuvddrss.exe	107
PID 1716 wrote to memory of 1684	1716	vupyfafuvddrss.exe	107
PID 1716 wrote to memory of 1684	1716	vupyfafuvddrss.exe	107
PID 1716 wrote to memory of 364	1716	vupyfafuvddrss.exe	108
PID 1716 wrote to memory of 364	1716	vupyfafuvddrss.exe	108
PID 1716 wrote to memory of 364	1716	vupyfafuvddrss.exe	108
PID 1716 wrote to memory of 364	1716	vupyfafuvddrss.exe	108
PID 1716 wrote to memory of 364	1716	vupyfafuvddrss.exe	108
PID 1716 wrote to memory of 364	1716	vupyfafuvddrss.exe	108
PID 1716 wrote to memory of 364	1716	vupyfafuvddrss.exe	108

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1889e4152e16cfe78a18739fed6fb08a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1889e4152e16cfe78a18739fed6fb08a.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:504
- - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
    "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Checks computer location settings
    - Windows security modification
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\ce233\svchost.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\ce233\svchost.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3652
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:364
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3348
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4156
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:544
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3132
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4680
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4856
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4592
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe
      "C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vupyfafuvddrss.exe.log

Filesize
1KB

MD5
24571733de6cbc205797846823780476

SHA1
4e98730158f50edc8d4e035d3fd5fb90b1e677ea

SHA256
68acb64e05a07391ebaa6ed89a3f313b410f31808ed806f908501eb7c69378d6

SHA512
36ac07837339d55b07f33034089a50a0325060c8ef0fb34880a604594132cf1121ee0b4e2abba2ab342ae29fa9b7805fb94f3d8042978c620a6a2d93b9a25a50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5427c85bb689629cd07da7d1c8e7ec9e

SHA1
e0e65b3f10da9fa4823a4ec51bafc1e733c172d6

SHA256
45c55f5e0f1c2023cf2dd2c82b225b9eb49e5410b78370eacbf537138da84236

SHA512
4c6336a4e954f879f58c8ead15d3944af522daee7c585f7868cc0b2098a7e12a4349f202882cf75d51f9b2fb0df501b1e2d2d794d8a0b05e6e24d79ded127cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
35f98e7bc8a6b0aab539710986a1a2fd

SHA1
9807b854336d0404cf6f0ec8514a850f1ecfdcca

SHA256
3ee68214039cc29a3da2b0f1e8e6594f04a93d35541489b8777e6db2453cc261

SHA512
4b74d241e298c8c9ac646405cebadddf75bc6616711510896ad1cd3906f323f107405dccf3ea7b2bfe67df6b5e80ba2315cd05cd041b7eb8efcb41f200180b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vupyfafuvddrss.exe

Filesize
923KB

MD5
e50ba846dfad1579e93f52e938d2d3af

SHA1
46519b1b475c6786bee7a745a51f14f3dfd5ae47

SHA256
ad3e2f3429a348471c86a98a9222e1e2e78fb0c991ec5fd9f908a71f2c51e618

SHA512
32caacc3eea41b39f4748aabcdbb76a9b499f1fe13c8c2a53cebe74a462c1dec43bf6ef888a74993ff03d2bcbe9a1247198bdde951e18989e7e795f954a68a41

Download Submit
memory/1716-142-0x0000000007700000-0x0000000007792000-memory.dmp

Filesize
584KB

Download
memory/1716-252-0x0000000000A90000-0x0000000000B2C000-memory.dmp

Filesize
624KB

Download
memory/1716-136-0x0000000000410000-0x00000000004FE000-memory.dmp

Filesize
952KB

Download
memory/1716-144-0x00000000075E0000-0x00000000075EA000-memory.dmp

Filesize
40KB

Download
memory/1716-137-0x0000000007B50000-0x00000000080F4000-memory.dmp

Filesize
5.6MB

Download
memory/1780-163-0x0000000073FD0000-0x000000007401C000-memory.dmp

Filesize
304KB

Download
memory/1780-141-0x0000000002880000-0x00000000028B6000-memory.dmp

Filesize
216KB

Download
memory/3652-160-0x0000000073FD0000-0x000000007401C000-memory.dmp

Filesize
304KB

Download
memory/3652-145-0x00000000056E0000-0x0000000005702000-memory.dmp

Filesize
136KB

Download
memory/3652-172-0x0000000007C70000-0x0000000007C7E000-memory.dmp

Filesize
56KB

Download
memory/3652-157-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/3748-162-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/3748-174-0x0000000007810000-0x0000000007818000-memory.dmp

Filesize
32KB

Download
memory/3748-173-0x0000000007830000-0x000000000784A000-memory.dmp

Filesize
104KB

Download
memory/3748-167-0x0000000007770000-0x0000000007806000-memory.dmp

Filesize
600KB

Download
memory/3748-166-0x0000000007560000-0x000000000756A000-memory.dmp

Filesize
40KB

Download
memory/3748-147-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/3748-164-0x0000000007B90000-0x000000000820A000-memory.dmp

Filesize
6.5MB

Download
memory/3748-146-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/3748-165-0x00000000074E0000-0x00000000074FA000-memory.dmp

Filesize
104KB

Download
memory/3748-161-0x0000000073FD0000-0x000000007401C000-memory.dmp

Filesize
304KB

Download
memory/3748-159-0x00000000067F0000-0x0000000006822000-memory.dmp

Filesize
200KB

Download
memory/3748-143-0x00000000052E0000-0x0000000005908000-memory.dmp

Filesize
6.2MB

Download
memory/3976-155-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/3976-158-0x0000000005E50000-0x0000000005EA0000-memory.dmp

Filesize
320KB

Download