dcrat | 047591ca2ccc07bd76829f889993e0be9a945791de2d97211bd57a5b63ae1fde

Analysis

max time kernel
150s
max time network
143s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
17/10/2022, 17:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

047591ca2ccc07bd76829f889993e0be9a945791de2d97211bd57a5b63ae1fde.exe
Size

217KB
MD5

08e981aad501e2f56c900456ab9c0ae9
SHA1

e212cc704088b4578e94b81048f351815a65571e
SHA256

047591ca2ccc07bd76829f889993e0be9a945791de2d97211bd57a5b63ae1fde
SHA512

db6c0a34daefdc368873f70868130885a231bfddf6e7767ab05c2164abb06742c59dcab25fbd0e1ad63cce182714f3574d1d7ef5d9062b5be3a76baaaa607d1f
SSDEEP

3072:q5AdfSkoe/iGHRfgEeZ1L+3myW+8uCZVsg1wmuERQqsvmg8gksvBOv3:qudpsKR4EcL+2yW31wmuLvn8Vsvgv

Score

10^/10

dcrat djvu redline smokeloader vidar 517 backdoor collection discovery infostealer persistence ransomware rat spyware stealer trojan vmprotect

Malware Config

Extracted

Family

djvu

http://winnlinne.com/lancer/get.php

Attributes

extension
.tury
offline_id
Uz66zEbmA32arcxwT81zZhkb23026oHz5iSp8qt1
payload_url
http://rgyui.top/dl/build2.exe

http://winnlinne.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-o7UXxOstmw Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0585Jhyjd

rsa_pubkey.plain

Extracted

Family

vidar

Version

Botnet

517

https://t.me/truewallets

https://mas.to/@zara99

http://116.203.10.3:80

Attributes

profile_id
517

Extracted

Family

redline

45.15.156.37:110

Attributes

auth_value
5b663effac3b92fe687f0181631eeff2

Signatures

DcRat 46 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		100096	schtasks.exe
		100128	schtasks.exe
		100224	schtasks.exe
		100344	schtasks.exe
		592	schtasks.exe
		3828	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI		047591ca2ccc07bd76829f889993e0be9a945791de2d97211bd57a5b63ae1fde.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6ba74600-18b1-4cde-91eb-e8565ed21624\\E394.exe\" --AutoStart"		E394.exe
		100032	schtasks.exe
		100068	schtasks.exe
		4492	schtasks.exe
		2056	schtasks.exe
		2924	schtasks.exe
		304	schtasks.exe
		4232	schtasks.exe
		99592	schtasks.exe
		100208	schtasks.exe
		100328	schtasks.exe
		4540	schtasks.exe
		2256	schtasks.exe
		100160	schtasks.exe
		1764	schtasks.exe
		1880	schtasks.exe
		1388	schtasks.exe
		680	schtasks.exe
		100312	schtasks.exe
		99580	schtasks.exe
		2448	schtasks.exe
		4620	schtasks.exe
		2116	schtasks.exe
		1228	schtasks.exe
		2328	schtasks.exe
		100052	schtasks.exe
		100112	schtasks.exe
		100176	schtasks.exe
		100192	schtasks.exe
		100264	schtasks.exe
		1344	schtasks.exe
		1748	schtasks.exe
		4208	schtasks.exe
		2276	schtasks.exe
		100240	schtasks.exe
		100280	schtasks.exe
		100296	schtasks.exe
		160	schtasks.exe
		3820	schtasks.exe

Detected Djvu ransomware 7 IoCs

resource	yara_rule
behavioral1/memory/1816-369-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/3316-373-0x00000000023F0000-0x000000000250B000-memory.dmp	family_djvu
behavioral1/memory/1816-467-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1816-500-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5052-527-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/5052-602-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5052-807-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

resource	yara_rule
behavioral1/memory/2032-299-0x0000000000680000-0x0000000000689000-memory.dmp	family_smokeloader
behavioral1/memory/5060-995-0x0000000000680000-0x0000000000689000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100032	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100052	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100068	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100096	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100112	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100128	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100160	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100176	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100192	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100208	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100224	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100240	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100264	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100280	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100296	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100312	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100328	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100344	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	99580	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	99592	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	160	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	99996	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	99996	schtasks.exe	102

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/99556-1021-0x000000000046A9EE-mapping.dmp	dcrat
behavioral1/memory/99556-1058-0x0000000000400000-0x0000000000470000-memory.dmp	dcrat

Downloads MZ/PE file

Executes dropped EXE 21 IoCs

pid	Process
4448	C614.exe
4676	CCFA.exe
4648	D383.exe
2032	D951.exe
4172	DF2E.exe
3316	E394.exe
1816	E394.exe
3760	E394.exe
5052	E394.exe
4940	build2.exe
4972	build2.exe
3936	build3.exe
860	4B09.exe
3308	61AF.exe
2188	6E14.exe
5060	bhfrjsa
5044	acfrjsa
4076	mstsca.exe
1404	7D38.exe
4260	vbc.exe
2184	9620.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000800000001ac27-167.dat	vmprotect
behavioral1/files/0x000800000001ac27-168.dat	vmprotect
behavioral1/memory/4676-174-0x0000000140000000-0x000000014060E000-memory.dmp	vmprotect
behavioral1/files/0x000700000001ac2a-237.dat	vmprotect
behavioral1/files/0x000700000001ac2a-236.dat	vmprotect

Deletes itself 1 IoCs

pid	Process
2320	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
4972	build2.exe
4972	build2.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2112	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6ba74600-18b1-4cde-91eb-e8565ed21624\\E394.exe\" --AutoStart"	E394.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	api.2ip.ua
21	api.2ip.ua
28	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3316 set thread context of 1816	3316	E394.exe	77
PID 3760 set thread context of 5052	3760	E394.exe	81
PID 4940 set thread context of 4972	4940	build2.exe	83
PID 1404 set thread context of 99556	1404	7D38.exe	101

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Services\b8e26d5294f99f	vbc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\5b884080fd4f94	vbc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe	vbc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5b884080fd4f94	vbc.exe
File created	C:\Program Files (x86)\Common Files\Java\mstsca.exe	vbc.exe
File created	C:\Program Files (x86)\Common Files\Java\f78f0be4a2bb50	vbc.exe
File created	C:\Program Files (x86)\Common Files\Services\build2.exe	vbc.exe
File created	C:\Program Files\Reference Assemblies\bhfrjsa.exe	vbc.exe
File created	C:\Program Files\Reference Assemblies\b2a7e0652380fb	vbc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\fontdrvhost.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4780	4648	WerFault.exe	68
5076	2032	WerFault.exe	69
3316	5060	WerFault.exe	94
6720	4972	WerFault.exe	83

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	047591ca2ccc07bd76829f889993e0be9a945791de2d97211bd57a5b63ae1fde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	acfrjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	acfrjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	047591ca2ccc07bd76829f889993e0be9a945791de2d97211bd57a5b63ae1fde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C614.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C614.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C614.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	acfrjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	047591ca2ccc07bd76829f889993e0be9a945791de2d97211bd57a5b63ae1fde.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 44 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1764	schtasks.exe
2448	schtasks.exe
100052	schtasks.exe
100128	schtasks.exe
100264	schtasks.exe
100344	schtasks.exe
4540	schtasks.exe
2328	schtasks.exe
304	schtasks.exe
100032	schtasks.exe
100160	schtasks.exe
100208	schtasks.exe
99592	schtasks.exe
2924	schtasks.exe
2116	schtasks.exe
100096	schtasks.exe
100176	schtasks.exe
100328	schtasks.exe
1748	schtasks.exe
592	schtasks.exe
2056	schtasks.exe
3820	schtasks.exe
1228	schtasks.exe
2276	schtasks.exe
100280	schtasks.exe
100296	schtasks.exe
1344	schtasks.exe
4492	schtasks.exe
1880	schtasks.exe
4620	schtasks.exe
100192	schtasks.exe
100312	schtasks.exe
160	schtasks.exe
4208	schtasks.exe
2256	schtasks.exe
3828	schtasks.exe
680	schtasks.exe
4232	schtasks.exe
100240	schtasks.exe
99580	schtasks.exe
1388	schtasks.exe
100068	schtasks.exe
100112	schtasks.exe
100224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2452	047591ca2ccc07bd76829f889993e0be9a945791de2d97211bd57a5b63ae1fde.exe
2452	047591ca2ccc07bd76829f889993e0be9a945791de2d97211bd57a5b63ae1fde.exe
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2320	Process not Found

Suspicious behavior: MapViewOfSection 25 IoCs

pid	Process
2452	047591ca2ccc07bd76829f889993e0be9a945791de2d97211bd57a5b63ae1fde.exe
2320	Process not Found
2320	Process not Found
4448	C614.exe
2320	Process not Found
2320	Process not Found
5044	acfrjsa
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found
2320	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found
Token: SeShutdownPrivilege	2320	Process not Found
Token: SeCreatePagefilePrivilege	2320	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4448	2320	Process not Found	66
PID 2320 wrote to memory of 4448	2320	Process not Found	66
PID 2320 wrote to memory of 4448	2320	Process not Found	66
PID 2320 wrote to memory of 4676	2320	Process not Found	67
PID 2320 wrote to memory of 4676	2320	Process not Found	67
PID 2320 wrote to memory of 4648	2320	Process not Found	68
PID 2320 wrote to memory of 4648	2320	Process not Found	68
PID 2320 wrote to memory of 4648	2320	Process not Found	68
PID 2320 wrote to memory of 2032	2320	Process not Found	69
PID 2320 wrote to memory of 2032	2320	Process not Found	69
PID 2320 wrote to memory of 2032	2320	Process not Found	69
PID 2320 wrote to memory of 4172	2320	Process not Found	70
PID 2320 wrote to memory of 4172	2320	Process not Found	70
PID 2320 wrote to memory of 3316	2320	Process not Found	71
PID 2320 wrote to memory of 3316	2320	Process not Found	71
PID 2320 wrote to memory of 3316	2320	Process not Found	71
PID 2320 wrote to memory of 4208	2320	Process not Found	74
PID 2320 wrote to memory of 4208	2320	Process not Found	74
PID 2320 wrote to memory of 4208	2320	Process not Found	74
PID 2320 wrote to memory of 4208	2320	Process not Found	74
PID 2320 wrote to memory of 4816	2320	Process not Found	76
PID 2320 wrote to memory of 4816	2320	Process not Found	76
PID 2320 wrote to memory of 4816	2320	Process not Found	76
PID 3316 wrote to memory of 1816	3316	E394.exe	77
PID 3316 wrote to memory of 1816	3316	E394.exe	77
PID 3316 wrote to memory of 1816	3316	E394.exe	77
PID 3316 wrote to memory of 1816	3316	E394.exe	77
PID 3316 wrote to memory of 1816	3316	E394.exe	77
PID 3316 wrote to memory of 1816	3316	E394.exe	77
PID 3316 wrote to memory of 1816	3316	E394.exe	77
PID 3316 wrote to memory of 1816	3316	E394.exe	77
PID 3316 wrote to memory of 1816	3316	E394.exe	77
PID 3316 wrote to memory of 1816	3316	E394.exe	77
PID 1816 wrote to memory of 2112	1816	E394.exe	78
PID 1816 wrote to memory of 2112	1816	E394.exe	78
PID 1816 wrote to memory of 2112	1816	E394.exe	78
PID 1816 wrote to memory of 3760	1816	E394.exe	79
PID 1816 wrote to memory of 3760	1816	E394.exe	79
PID 1816 wrote to memory of 3760	1816	E394.exe	79
PID 3760 wrote to memory of 5052	3760	E394.exe	81
PID 3760 wrote to memory of 5052	3760	E394.exe	81
PID 3760 wrote to memory of 5052	3760	E394.exe	81
PID 3760 wrote to memory of 5052	3760	E394.exe	81
PID 3760 wrote to memory of 5052	3760	E394.exe	81
PID 3760 wrote to memory of 5052	3760	E394.exe	81
PID 3760 wrote to memory of 5052	3760	E394.exe	81
PID 3760 wrote to memory of 5052	3760	E394.exe	81
PID 3760 wrote to memory of 5052	3760	E394.exe	81
PID 3760 wrote to memory of 5052	3760	E394.exe	81
PID 5052 wrote to memory of 4940	5052	E394.exe	82
PID 5052 wrote to memory of 4940	5052	E394.exe	82
PID 5052 wrote to memory of 4940	5052	E394.exe	82
PID 4940 wrote to memory of 4972	4940	build2.exe	83
PID 4940 wrote to memory of 4972	4940	build2.exe	83
PID 4940 wrote to memory of 4972	4940	build2.exe	83
PID 4940 wrote to memory of 4972	4940	build2.exe	83
PID 4940 wrote to memory of 4972	4940	build2.exe	83
PID 4940 wrote to memory of 4972	4940	build2.exe	83
PID 4940 wrote to memory of 4972	4940	build2.exe	83
PID 4940 wrote to memory of 4972	4940	build2.exe	83
PID 5052 wrote to memory of 3936	5052	E394.exe	84
PID 5052 wrote to memory of 3936	5052	E394.exe	84
PID 5052 wrote to memory of 3936	5052	E394.exe	84
PID 3936 wrote to memory of 304	3936	build3.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\047591ca2ccc07bd76829f889993e0be9a945791de2d97211bd57a5b63ae1fde.exe
"C:\Users\Admin\AppData\Local\Temp\047591ca2ccc07bd76829f889993e0be9a945791de2d97211bd57a5b63ae1fde.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2452

C:\Users\Admin\AppData\Local\Temp\C614.exe
C:\Users\Admin\AppData\Local\Temp\C614.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4448

C:\Users\Admin\AppData\Local\Temp\CCFA.exe
C:\Users\Admin\AppData\Local\Temp\CCFA.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Users\Admin\AppData\Local\Temp\D383.exe
C:\Users\Admin\AppData\Local\Temp\D383.exe
1⤵
- Executes dropped EXE
PID:4648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 476
  2⤵
  - Program crash
  PID:4780

C:\Users\Admin\AppData\Local\Temp\D951.exe
C:\Users\Admin\AppData\Local\Temp\D951.exe
1⤵
- Executes dropped EXE
PID:2032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 480
  2⤵
  - Program crash
  PID:5076

C:\Users\Admin\AppData\Local\Temp\DF2E.exe
C:\Users\Admin\AppData\Local\Temp\DF2E.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Users\Admin\AppData\Local\Temp\E394.exe
C:\Users\Admin\AppData\Local\Temp\E394.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\E394.exe
  C:\Users\Admin\AppData\Local\Temp\E394.exe
  2⤵
  - DcRat
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\6ba74600-18b1-4cde-91eb-e8565ed21624" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\E394.exe
    "C:\Users\Admin\AppData\Local\Temp\E394.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\E394.exe
      "C:\Users\Admin\AppData\Local\Temp\E394.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Users\Admin\AppData\Local\d159f0bd-1d02-462c-9855-bfa84943d34f\build2.exe
        
        "C:\Users\Admin\AppData\Local\d159f0bd-1d02-462c-9855-bfa84943d34f\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - C:\Users\Admin\AppData\Local\d159f0bd-1d02-462c-9855-bfa84943d34f\build2.exe
        
        "C:\Users\Admin\AppData\Local\d159f0bd-1d02-462c-9855-bfa84943d34f\build2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1704
        7⤵
        Program crash
        
        PID:6720
    - - C:\Users\Admin\AppData\Local\d159f0bd-1d02-462c-9855-bfa84943d34f\build3.exe
        
        "C:\Users\Admin\AppData\Local\d159f0bd-1d02-462c-9855-bfa84943d34f\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3936
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:304

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4208

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\4B09.exe
C:\Users\Admin\AppData\Local\Temp\4B09.exe
1⤵
- Executes dropped EXE
PID:860

C:\Users\Admin\AppData\Local\Temp\61AF.exe
C:\Users\Admin\AppData\Local\Temp\61AF.exe
1⤵
- Executes dropped EXE
PID:3308

C:\Users\Admin\AppData\Local\Temp\6E14.exe
C:\Users\Admin\AppData\Local\Temp\6E14.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Users\Admin\AppData\Roaming\acfrjsa
C:\Users\Admin\AppData\Roaming\acfrjsa
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5044

C:\Users\Admin\AppData\Roaming\bhfrjsa
C:\Users\Admin\AppData\Roaming\bhfrjsa
1⤵
- Executes dropped EXE
PID:5060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 476
  2⤵
  - Program crash
  PID:3316

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:4076
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:4232

C:\Users\Admin\AppData\Local\Temp\7D38.exe
C:\Users\Admin\AppData\Local\Temp\7D38.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Drops file in Program Files directory
  PID:99556
- - C:\SystemID\vbc.exe
    "C:\SystemID\vbc.exe"
    3⤵
    - Executes dropped EXE
    PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "D951D" /sc MINUTE /mo 14 /tr "'C:\odt\D951.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "D951" /sc ONLOGON /tr "'C:\odt\D951.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "D951D" /sc MINUTE /mo 11 /tr "'C:\odt\D951.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "build2b" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\build2.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "build2" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\build2.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "build2b" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\build2.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "D951D" /sc MINUTE /mo 5 /tr "'C:\odt\D951.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "D951" /sc ONLOGON /tr "'C:\odt\D951.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "D951D" /sc MINUTE /mo 10 /tr "'C:\odt\D951.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bhfrjsab" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\bhfrjsa.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bhfrjsa" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\bhfrjsa.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bhfrjsab" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\bhfrjsa.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:99580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:99592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mstscam" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Java\mstsca.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mstsca" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\mstsca.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mstscam" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Java\mstsca.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\odt\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "vbcv" /sc MINUTE /mo 6 /tr "'C:\SystemID\vbc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "vbc" /sc ONLOGON /tr "'C:\SystemID\vbc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "vbcv" /sc MINUTE /mo 11 /tr "'C:\SystemID\vbc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Users\Admin\AppData\Local\Temp\9620.exe
C:\Users\Admin\AppData\Local\Temp\9620.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1324

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4236

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3716

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:396

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5212

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5404

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5588

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5804

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Scripting

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SystemID\vbc.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
C:\SystemID\vbc.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
006c98bc42ac1d15f0ec70e3488783c5

SHA1
a8c8302826468c903b511e206d6d058e2c3acdaa

SHA256
e24883740fbed2781e4df4e5387cd95c3345ec9944edeeb36babd2c10135fa00

SHA512
e0caea17f99a18483e0195c5311942c195ef42532f1868bfb5c64b3f6cb72cc0fc58414176a9bfc66452e11d17c2058eafb483a41890f502ec76dc3a6807f2f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
97ab7ffd65186e85f453dc7c02637528

SHA1
f22312a6a44613be85c0370878456a965f869a40

SHA256
630df8e970cc3b1ad508db713dd8be52e0ac7a5826f3f264a266232f9a1c23ee

SHA512
37d90c98e72ad55b2cbb938541c81bac1aa9d2b8a7e19f0fbfaa365b49e7bef2d3199f03e46aa9fbf3055f3701d21860820c451065f7e425d39bf86ca606bfb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
09aab87522aa083a4c1355a8c62d502f

SHA1
cd794e0362f63880c2c854a749b5bbe84e984f58

SHA256
302f74ff1d038f770fbb7f987782162c5207cb74d6761956ea2e7ece67a62229

SHA512
071332af50441dea0693c50736d19284a1690603ed805e7e22437d3c159954d567fd9af49806e3f7cfd92d8c492d8a9b6f71a30f43aebb6ec4da2cfa4dd9f749

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
b8b81aa6f8fc7e5f32f40f8ab37d92b0

SHA1
051893b0f0451d04ce5b89e26b083667d87579b7

SHA256
e19eafd48b0a60b5cede516ae1d107c828b8515b6556483b66d278ad737f5da2

SHA512
a03366623c8d6903a95401061b4f4ff163fb73064215ff61312e6bfefb5368b134441fb83619dcfcbd10771619d03b849e9a455df0377f210718e06d6220a507

Download Submit
C:\Users\Admin\AppData\Local\6ba74600-18b1-4cde-91eb-e8565ed21624\E394.exe

Filesize
736KB

MD5
36fc2440660c5f4509c3abcdde9a1c3a

SHA1
23b9d0fe11194e29394beedddfd462225af5118e

SHA256
78f55fd75a0e521099c5f29bc271195d0ac94fbd3a5332b022eae4f0f304df2d

SHA512
c77645c4fcc5c41129d6528d768919c0b470840417a49a0fb899e30740bae25ff5819fab37d765db1a5b86406343b561a8e03aa0033cf44a0afae711d3f4f025

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B09.exe

Filesize
409KB

MD5
35c735e520b3e79a45c54baf7df79655

SHA1
938f9fd661ca2aafaf1f344c3fadf52b808dfe38

SHA256
13895b62c74f41648b06560d18cef2b0a648a6569eee913c66fb8f5ce7d3051a

SHA512
4de9a366048178917e1b5ea52adbbdeaf874a68847d029ada3f0ea495121651cf399c1b30e3a324613005994718f04c149c4186c5ba880ce9d3951fa1b3a35e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B09.exe

Filesize
409KB

MD5
35c735e520b3e79a45c54baf7df79655

SHA1
938f9fd661ca2aafaf1f344c3fadf52b808dfe38

SHA256
13895b62c74f41648b06560d18cef2b0a648a6569eee913c66fb8f5ce7d3051a

SHA512
4de9a366048178917e1b5ea52adbbdeaf874a68847d029ada3f0ea495121651cf399c1b30e3a324613005994718f04c149c4186c5ba880ce9d3951fa1b3a35e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\61AF.exe

Filesize
346KB

MD5
e269b25b97b08572972bbe8bc37273e7

SHA1
e1c9f458417ec83b7e282150a3f9f4fd0880ea65

SHA256
13ab290c78cd5ea5f7123475e893683a21a57c881a24322a8f0c495995f578d5

SHA512
6a1120fe9b26c6e4fdf4e4ab816088fa89131540cdf549e0dc306dd12357f348107c18c50eaa131cb823c067f714a8ecaebbe54a394b9d9e07874b76c507be23

Download Submit
C:\Users\Admin\AppData\Local\Temp\61AF.exe

Filesize
346KB

MD5
e269b25b97b08572972bbe8bc37273e7

SHA1
e1c9f458417ec83b7e282150a3f9f4fd0880ea65

SHA256
13ab290c78cd5ea5f7123475e893683a21a57c881a24322a8f0c495995f578d5

SHA512
6a1120fe9b26c6e4fdf4e4ab816088fa89131540cdf549e0dc306dd12357f348107c18c50eaa131cb823c067f714a8ecaebbe54a394b9d9e07874b76c507be23

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E14.exe

Filesize
346KB

MD5
6f45bb42cedd2e9d9dd8f8e9f2a415f5

SHA1
8ed74277c342c7e25c81d346963b40c41d46253c

SHA256
3c1621252cd82cf9ece1618f87290701c955de4749ac5a80a439e4ef8ec25af0

SHA512
d3cd4596a3e6138dfce30c63bec24f7287bfd246a3064797d5b226cc8c5aaf724903b130693663fb75d4300cd71197c470c05dc07fa8c7e6eb6a1accb18f29db

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E14.exe

Filesize
346KB

MD5
6f45bb42cedd2e9d9dd8f8e9f2a415f5

SHA1
8ed74277c342c7e25c81d346963b40c41d46253c

SHA256
3c1621252cd82cf9ece1618f87290701c955de4749ac5a80a439e4ef8ec25af0

SHA512
d3cd4596a3e6138dfce30c63bec24f7287bfd246a3064797d5b226cc8c5aaf724903b130693663fb75d4300cd71197c470c05dc07fa8c7e6eb6a1accb18f29db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D38.exe

Filesize
2.8MB

MD5
0dd7b5d429760ba78ee56d4cffdc8e58

SHA1
02b064596c7280b4775429cc5d625ccb03d347e9

SHA256
70e9c21963c36522aa4534bd4d5ead6c4b6fe15433119546f6a0b99af7334c5c

SHA512
815f8d06eac95ef0d981ade05d042f26dec421630899cebc745cc55571862ba7828a3122dd9673690c1cb3742b6a3767ac73a6718ecee8fc689db5942ebaa632

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D38.exe

Filesize
2.8MB

MD5
0dd7b5d429760ba78ee56d4cffdc8e58

SHA1
02b064596c7280b4775429cc5d625ccb03d347e9

SHA256
70e9c21963c36522aa4534bd4d5ead6c4b6fe15433119546f6a0b99af7334c5c

SHA512
815f8d06eac95ef0d981ade05d042f26dec421630899cebc745cc55571862ba7828a3122dd9673690c1cb3742b6a3767ac73a6718ecee8fc689db5942ebaa632

Download Submit
C:\Users\Admin\AppData\Local\Temp\9620.exe

Filesize
368KB

MD5
0d5b6d3c2dd0e9eb170ea1e1e06fb73d

SHA1
b4cd233e78c4b65fea910aefb33cd9cfdc07bfb4

SHA256
e0dc0990501e5fd3d56e2b77d99e6dd7256b576c63e011dbd273195ca380abc6

SHA512
65eb0ba45efe71fd0081f84988658176359926e1cbbd4333372cdcae4fffbdebda7f8a9065d12331476104e67406301e32496b880d51a19a3841ffe68b61ffe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9620.exe

Filesize
368KB

MD5
0d5b6d3c2dd0e9eb170ea1e1e06fb73d

SHA1
b4cd233e78c4b65fea910aefb33cd9cfdc07bfb4

SHA256
e0dc0990501e5fd3d56e2b77d99e6dd7256b576c63e011dbd273195ca380abc6

SHA512
65eb0ba45efe71fd0081f84988658176359926e1cbbd4333372cdcae4fffbdebda7f8a9065d12331476104e67406301e32496b880d51a19a3841ffe68b61ffe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C614.exe

Filesize
217KB

MD5
0ec6e693aab7b7faca937189153b4f8d

SHA1
977457b2515407e94bd6040ae09ccb499e5a683c

SHA256
5e010d7ec86032142095fa431a0d2133424f3082a8d3116291f1494849256912

SHA512
3e30dbccd68ab26c57b570974e4b28f0c185b544f10fadca241ca19b98384a5d49d584814cc024582c0011b998bf14f3746da3173e9ec64f2cd565e878cf3a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\C614.exe

Filesize
217KB

MD5
0ec6e693aab7b7faca937189153b4f8d

SHA1
977457b2515407e94bd6040ae09ccb499e5a683c

SHA256
5e010d7ec86032142095fa431a0d2133424f3082a8d3116291f1494849256912

SHA512
3e30dbccd68ab26c57b570974e4b28f0c185b544f10fadca241ca19b98384a5d49d584814cc024582c0011b998bf14f3746da3173e9ec64f2cd565e878cf3a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCFA.exe

Filesize
3.5MB

MD5
d30c815c9e13d428430f2a8b4018d3d5

SHA1
49bfdfa3b51befed67fe058d1a9e9cc7d1fea579

SHA256
2a1e2d1a6badfd7b0c914ce0554786fea79e32deaa0ff77d8dc703e8eedd2a9f

SHA512
d6d12e13524e676463c230a7d9b620523550cec37cff7e7ca560670fca86c68eb4e190e2c0c4301e436ae8dbd86038453b4d70140eff5a751e52a165c6d2a3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCFA.exe

Filesize
3.5MB

MD5
d30c815c9e13d428430f2a8b4018d3d5

SHA1
49bfdfa3b51befed67fe058d1a9e9cc7d1fea579

SHA256
2a1e2d1a6badfd7b0c914ce0554786fea79e32deaa0ff77d8dc703e8eedd2a9f

SHA512
d6d12e13524e676463c230a7d9b620523550cec37cff7e7ca560670fca86c68eb4e190e2c0c4301e436ae8dbd86038453b4d70140eff5a751e52a165c6d2a3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\D383.exe

Filesize
216KB

MD5
3be6522dd0564358ec1832aed3ff975f

SHA1
4a3e7b5fede94b16553ef9b04c29c871fc7bfef9

SHA256
d77814b6f9fb826360a8f00230b59150520bc5568545c38804a3cb69f6d230f8

SHA512
8e516c669cabb48ea451e93c52d41c5a9c52f15533afbe312fea48a6725fd6eedeb9123853126d6fa71eeb000d69c19e2c7c61211bab6fe91d23b6d0b6389511

Download Submit
C:\Users\Admin\AppData\Local\Temp\D383.exe

Filesize
216KB

MD5
3be6522dd0564358ec1832aed3ff975f

SHA1
4a3e7b5fede94b16553ef9b04c29c871fc7bfef9

SHA256
d77814b6f9fb826360a8f00230b59150520bc5568545c38804a3cb69f6d230f8

SHA512
8e516c669cabb48ea451e93c52d41c5a9c52f15533afbe312fea48a6725fd6eedeb9123853126d6fa71eeb000d69c19e2c7c61211bab6fe91d23b6d0b6389511

Download Submit
C:\Users\Admin\AppData\Local\Temp\D951.exe

Filesize
217KB

MD5
6903b880b28cdbb6ebe035f688cbbf91

SHA1
0284b6258ce09bf173427bebdfca62f47536e39f

SHA256
60ee5a863af6fe7be9f2ed1e647b47aff63ce373103ed3f450778d6a70126824

SHA512
99309e4ce5a11e9042b40a670cbae122eb1a719ec14b9e284583025e3cddae460c32c6e223eda864b46af43380960781f360a51dafab9591deac01e900fdd433

Download Submit
C:\Users\Admin\AppData\Local\Temp\D951.exe

Filesize
217KB

MD5
6903b880b28cdbb6ebe035f688cbbf91

SHA1
0284b6258ce09bf173427bebdfca62f47536e39f

SHA256
60ee5a863af6fe7be9f2ed1e647b47aff63ce373103ed3f450778d6a70126824

SHA512
99309e4ce5a11e9042b40a670cbae122eb1a719ec14b9e284583025e3cddae460c32c6e223eda864b46af43380960781f360a51dafab9591deac01e900fdd433

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2E.exe

Filesize
3.5MB

MD5
8c31d30ef8674d07d554ebf5d8fbbb6d

SHA1
04aafe34c5dc8b18e8324fb340a078aba5e792fd

SHA256
b2e8dfa026c7e6d1c4548f689ef345d1bb42e5e7aef03f97415516423ee8bbe6

SHA512
117c01537b03fc5b8d82224547cd164299ce0020da5abb4e7524ab9dacfa938ce292627118e10a24735fc3152f5edc46611b6872b748d7cf2dbb330c333e8d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2E.exe

Filesize
3.5MB

MD5
8c31d30ef8674d07d554ebf5d8fbbb6d

SHA1
04aafe34c5dc8b18e8324fb340a078aba5e792fd

SHA256
b2e8dfa026c7e6d1c4548f689ef345d1bb42e5e7aef03f97415516423ee8bbe6

SHA512
117c01537b03fc5b8d82224547cd164299ce0020da5abb4e7524ab9dacfa938ce292627118e10a24735fc3152f5edc46611b6872b748d7cf2dbb330c333e8d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E394.exe

Filesize
736KB

MD5
36fc2440660c5f4509c3abcdde9a1c3a

SHA1
23b9d0fe11194e29394beedddfd462225af5118e

SHA256
78f55fd75a0e521099c5f29bc271195d0ac94fbd3a5332b022eae4f0f304df2d

SHA512
c77645c4fcc5c41129d6528d768919c0b470840417a49a0fb899e30740bae25ff5819fab37d765db1a5b86406343b561a8e03aa0033cf44a0afae711d3f4f025

Download Submit
C:\Users\Admin\AppData\Local\Temp\E394.exe

Filesize
736KB

MD5
36fc2440660c5f4509c3abcdde9a1c3a

SHA1
23b9d0fe11194e29394beedddfd462225af5118e

SHA256
78f55fd75a0e521099c5f29bc271195d0ac94fbd3a5332b022eae4f0f304df2d

SHA512
c77645c4fcc5c41129d6528d768919c0b470840417a49a0fb899e30740bae25ff5819fab37d765db1a5b86406343b561a8e03aa0033cf44a0afae711d3f4f025

Download Submit
C:\Users\Admin\AppData\Local\Temp\E394.exe

Filesize
736KB

MD5
36fc2440660c5f4509c3abcdde9a1c3a

SHA1
23b9d0fe11194e29394beedddfd462225af5118e

SHA256
78f55fd75a0e521099c5f29bc271195d0ac94fbd3a5332b022eae4f0f304df2d

SHA512
c77645c4fcc5c41129d6528d768919c0b470840417a49a0fb899e30740bae25ff5819fab37d765db1a5b86406343b561a8e03aa0033cf44a0afae711d3f4f025

Download Submit
C:\Users\Admin\AppData\Local\Temp\E394.exe

Filesize
736KB

MD5
36fc2440660c5f4509c3abcdde9a1c3a

SHA1
23b9d0fe11194e29394beedddfd462225af5118e

SHA256
78f55fd75a0e521099c5f29bc271195d0ac94fbd3a5332b022eae4f0f304df2d

SHA512
c77645c4fcc5c41129d6528d768919c0b470840417a49a0fb899e30740bae25ff5819fab37d765db1a5b86406343b561a8e03aa0033cf44a0afae711d3f4f025

Download Submit
C:\Users\Admin\AppData\Local\Temp\E394.exe

Filesize
736KB

MD5
36fc2440660c5f4509c3abcdde9a1c3a

SHA1
23b9d0fe11194e29394beedddfd462225af5118e

SHA256
78f55fd75a0e521099c5f29bc271195d0ac94fbd3a5332b022eae4f0f304df2d

SHA512
c77645c4fcc5c41129d6528d768919c0b470840417a49a0fb899e30740bae25ff5819fab37d765db1a5b86406343b561a8e03aa0033cf44a0afae711d3f4f025

Download Submit
C:\Users\Admin\AppData\Local\d159f0bd-1d02-462c-9855-bfa84943d34f\build2.exe

Filesize
321KB

MD5
5fd8c38657bb9393bb4736c880675223

SHA1
f3a03b2e75cef22262f6677e3832b6ad9327905c

SHA256
2a5101345def285c8f52ad39f00261ba9e0375d3de73206d0b8c72ce3b6259c6

SHA512
43c82f6db716792a770a3573a9d20cb69a2421ccc2bb875e57f4270d92c9289ee684deda19e3232c50f4675aaf86de173f73376a00f927a8d9847f60b8b732fe

Download Submit
C:\Users\Admin\AppData\Local\d159f0bd-1d02-462c-9855-bfa84943d34f\build2.exe

Filesize
321KB

MD5
5fd8c38657bb9393bb4736c880675223

SHA1
f3a03b2e75cef22262f6677e3832b6ad9327905c

SHA256
2a5101345def285c8f52ad39f00261ba9e0375d3de73206d0b8c72ce3b6259c6

SHA512
43c82f6db716792a770a3573a9d20cb69a2421ccc2bb875e57f4270d92c9289ee684deda19e3232c50f4675aaf86de173f73376a00f927a8d9847f60b8b732fe

Download Submit
C:\Users\Admin\AppData\Local\d159f0bd-1d02-462c-9855-bfa84943d34f\build2.exe

Filesize
321KB

MD5
5fd8c38657bb9393bb4736c880675223

SHA1
f3a03b2e75cef22262f6677e3832b6ad9327905c

SHA256
2a5101345def285c8f52ad39f00261ba9e0375d3de73206d0b8c72ce3b6259c6

SHA512
43c82f6db716792a770a3573a9d20cb69a2421ccc2bb875e57f4270d92c9289ee684deda19e3232c50f4675aaf86de173f73376a00f927a8d9847f60b8b732fe

Download Submit
C:\Users\Admin\AppData\Local\d159f0bd-1d02-462c-9855-bfa84943d34f\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\d159f0bd-1d02-462c-9855-bfa84943d34f\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\acfrjsa

Filesize
217KB

MD5
08e981aad501e2f56c900456ab9c0ae9

SHA1
e212cc704088b4578e94b81048f351815a65571e

SHA256
047591ca2ccc07bd76829f889993e0be9a945791de2d97211bd57a5b63ae1fde

SHA512
db6c0a34daefdc368873f70868130885a231bfddf6e7767ab05c2164abb06742c59dcab25fbd0e1ad63cce182714f3574d1d7ef5d9062b5be3a76baaaa607d1f

Download Submit
C:\Users\Admin\AppData\Roaming\acfrjsa

Filesize
217KB

MD5
08e981aad501e2f56c900456ab9c0ae9

SHA1
e212cc704088b4578e94b81048f351815a65571e

SHA256
047591ca2ccc07bd76829f889993e0be9a945791de2d97211bd57a5b63ae1fde

SHA512
db6c0a34daefdc368873f70868130885a231bfddf6e7767ab05c2164abb06742c59dcab25fbd0e1ad63cce182714f3574d1d7ef5d9062b5be3a76baaaa607d1f

Download Submit
C:\Users\Admin\AppData\Roaming\bhfrjsa

Filesize
217KB

MD5
0ec6e693aab7b7faca937189153b4f8d

SHA1
977457b2515407e94bd6040ae09ccb499e5a683c

SHA256
5e010d7ec86032142095fa431a0d2133424f3082a8d3116291f1494849256912

SHA512
3e30dbccd68ab26c57b570974e4b28f0c185b544f10fadca241ca19b98384a5d49d584814cc024582c0011b998bf14f3746da3173e9ec64f2cd565e878cf3a91

Download Submit
C:\Users\Admin\AppData\Roaming\bhfrjsa

Filesize
217KB

MD5
0ec6e693aab7b7faca937189153b4f8d

SHA1
977457b2515407e94bd6040ae09ccb499e5a683c

SHA256
5e010d7ec86032142095fa431a0d2133424f3082a8d3116291f1494849256912

SHA512
3e30dbccd68ab26c57b570974e4b28f0c185b544f10fadca241ca19b98384a5d49d584814cc024582c0011b998bf14f3746da3173e9ec64f2cd565e878cf3a91

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/396-1334-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/396-1332-0x0000000000C90000-0x0000000000C96000-memory.dmp

Filesize
24KB

Download
memory/1324-1338-0x00000000007C0000-0x00000000007CB000-memory.dmp

Filesize
44KB

Download
memory/1324-1336-0x00000000007D0000-0x00000000007D7000-memory.dmp

Filesize
28KB

Download
memory/1816-467-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1816-500-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2032-302-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2032-299-0x0000000000680000-0x0000000000689000-memory.dmp

Filesize
36KB

Download
memory/2032-297-0x00000000006A0000-0x00000000007EA000-memory.dmp

Filesize
1.3MB

Download
memory/2032-617-0x00000000006A0000-0x00000000007EA000-memory.dmp

Filesize
1.3MB

Download
memory/2032-618-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2184-1288-0x00000000008F0000-0x0000000000949000-memory.dmp

Filesize
356KB

Download
memory/2184-1354-0x00000000058A0000-0x00000000058DE000-memory.dmp

Filesize
248KB

Download
memory/2184-1384-0x0000000005930000-0x000000000597B000-memory.dmp

Filesize
300KB

Download
memory/2184-1433-0x0000000005BC0000-0x0000000005C52000-memory.dmp

Filesize
584KB

Download
memory/2184-1344-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/2184-1342-0x0000000005760000-0x0000000005772000-memory.dmp

Filesize
72KB

Download
memory/2184-1340-0x0000000005110000-0x0000000005716000-memory.dmp

Filesize
6.0MB

Download
memory/2184-1284-0x00000000005C0000-0x000000000070A000-memory.dmp

Filesize
1.3MB

Download
memory/2184-1291-0x0000000000400000-0x00000000005B9000-memory.dmp

Filesize
1.7MB

Download
memory/2184-1311-0x00000000026D0000-0x000000000271C000-memory.dmp

Filesize
304KB

Download
memory/2184-1329-0x0000000002720000-0x0000000002768000-memory.dmp

Filesize
288KB

Download
memory/2452-149-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-121-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-150-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-155-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2452-154-0x0000000000841000-0x0000000000851000-memory.dmp

Filesize
64KB

Download
memory/2452-148-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-147-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-153-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-119-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-120-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-151-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-146-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-144-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2452-122-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-123-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-124-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-152-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-118-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-125-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-126-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-127-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-128-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-145-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-130-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-129-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-131-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-132-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-133-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-134-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-143-0x00000000005A0000-0x000000000064E000-memory.dmp

Filesize
696KB

Download
memory/2452-135-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-142-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-136-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-137-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-141-0x0000000000841000-0x0000000000851000-memory.dmp

Filesize
64KB

Download
memory/2452-140-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-139-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-138-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3316-373-0x00000000023F0000-0x000000000250B000-memory.dmp

Filesize
1.1MB

Download
memory/3716-1418-0x0000000003470000-0x0000000003475000-memory.dmp

Filesize
20KB

Download
memory/4208-428-0x0000000000600000-0x000000000066B000-memory.dmp

Filesize
428KB

Download
memory/4208-456-0x0000000000600000-0x000000000066B000-memory.dmp

Filesize
428KB

Download
memory/4208-427-0x0000000000670000-0x00000000006E5000-memory.dmp

Filesize
468KB

Download
memory/4236-1234-0x0000000000950000-0x0000000000959000-memory.dmp

Filesize
36KB

Download
memory/4236-1236-0x0000000000940000-0x000000000094F000-memory.dmp

Filesize
60KB

Download
memory/4448-172-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-170-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-158-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-187-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-159-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-186-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-185-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-160-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-199-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/4448-161-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-162-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-184-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-163-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-320-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/4448-183-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-181-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-182-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-179-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-164-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-316-0x00000000007C1000-0x00000000007D2000-memory.dmp

Filesize
68KB

Download
memory/4448-197-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/4448-169-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-188-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-171-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-175-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-189-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-173-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-193-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-191-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-177-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4448-192-0x00000000007C1000-0x00000000007D2000-memory.dmp

Filesize
68KB

Download
memory/4648-257-0x00000000005A0000-0x000000000064E000-memory.dmp

Filesize
696KB

Download
memory/4648-195-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4648-603-0x0000000000670000-0x00000000007BA000-memory.dmp

Filesize
1.3MB

Download
memory/4648-253-0x0000000000670000-0x00000000007BA000-memory.dmp

Filesize
1.3MB

Download
memory/4648-604-0x00000000005A0000-0x000000000064E000-memory.dmp

Filesize
696KB

Download
memory/4648-605-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4648-261-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4676-174-0x0000000140000000-0x000000014060E000-memory.dmp

Filesize
6.1MB

Download
memory/4816-329-0x0000000000FD0000-0x0000000000FDC000-memory.dmp

Filesize
48KB

Download
memory/4940-663-0x00000000021A0000-0x00000000021EF000-memory.dmp

Filesize
316KB

Download
memory/4972-818-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4972-711-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5044-991-0x00000000005A0000-0x000000000064E000-memory.dmp

Filesize
696KB

Download
memory/5044-993-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/5044-992-0x00000000005A0000-0x000000000064E000-memory.dmp

Filesize
696KB

Download
memory/5044-1077-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/5052-807-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5052-602-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5060-994-0x00000000006A0000-0x00000000007EA000-memory.dmp

Filesize
1.3MB

Download
memory/5060-1280-0x00000000006A0000-0x00000000007EA000-memory.dmp

Filesize
1.3MB

Download
memory/5060-995-0x0000000000680000-0x0000000000689000-memory.dmp

Filesize
36KB

Download
memory/5060-996-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/99556-1058-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/99556-1062-0x0000000009FF0000-0x000000000A4EE000-memory.dmp

Filesize
5.0MB

Download
memory/99556-1082-0x0000000009510000-0x000000000951C000-memory.dmp

Filesize
48KB

Download
memory/99556-1087-0x0000000009DF0000-0x0000000009DFC000-memory.dmp

Filesize
48KB

Download
memory/99556-1099-0x0000000009F70000-0x0000000009FD6000-memory.dmp

Filesize
408KB

Download