dcrat | 8d8083a15c3ed42eae1336ff0060628915f58b60ee35e95b18843b5711b13372

Analysis

max time kernel
36s
max time network
51s
platform
windows10-1703_x64
resource
win10-20220901-es
resource tags

arch:x64arch:x86image:win10-20220901-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
28-01-2023 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Belle Delphine Nudes Leaked!/Anal.scr
Size

3.4MB
MD5

ed6ea767354e940d79e591d21d8e1bbd
SHA1

d07011f13100f7578506f45630cfdb73286a3e44
SHA256

be790ab14ba841b5a5ae4fb7853924f33be7577b35a5565ca31fcd399b1ad8f8
SHA512

b653626e2d42d76d6daa48ecf779e053ab3bff1781c54519fe70f47bd97a03fcce3eed5dacb01edbae655b588ad4be138b2df29e604ddfd2cc0ff4f80b8da569
SSDEEP

49152:EbA37QXuXj2m0oENBxCFk+M0/V5Z7dTMjPvxQp0VR4NOjtSskvRIaqiZd:EbXXuiyENBE209BqnOmeMjYsqR7d

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 22 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeAnal.scrschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2964	schtasks.exe
4784	schtasks.exe
3900	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	Anal.scr
5036	schtasks.exe
2772	schtasks.exe
4140	schtasks.exe
2192	schtasks.exe
3460	schtasks.exe
4904	schtasks.exe
4936	schtasks.exe
4724	schtasks.exe
3628	schtasks.exe
4568	schtasks.exe
1364	schtasks.exe
4992	schtasks.exe
1412	schtasks.exe
2428	schtasks.exe
2392	schtasks.exe
4960	schtasks.exe
2856	schtasks.exe
4588	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

webbroker.exewebbroker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\ShellExperienceHost.exe\", \"C:\\Windows\\PLA\\System\\RuntimeBroker.exe\", \"C:\\odt\\lsass.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\ShellExperienceHost.exe\", \"C:\\Windows\\PLA\\System\\RuntimeBroker.exe\", \"C:\\odt\\lsass.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\ShellExperienceHost.exe\", \"C:\\Windows\\PLA\\System\\RuntimeBroker.exe\", \"C:\\odt\\lsass.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Windows\\Setup\\State\\taskhostw.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\ShellExperienceHost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\ShellExperienceHost.exe\", \"C:\\Windows\\PLA\\System\\RuntimeBroker.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\ShellExperienceHost.exe\", \"C:\\Windows\\PLA\\System\\RuntimeBroker.exe\", \"C:\\odt\\lsass.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\ShellExperienceHost.exe\", \"C:\\Windows\\PLA\\System\\RuntimeBroker.exe\", \"C:\\odt\\lsass.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\""	webbroker.exe

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	3076	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\SurrogateagentsavesDll\webbroker.exe	dcrat
C:\SurrogateagentsavesDll\webbroker.exe	dcrat
behavioral1/memory/3644-286-0x0000000000B90000-0x0000000000E32000-memory.dmp	dcrat
C:\SurrogateagentsavesDll\webbroker.exe	dcrat
C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	dcrat
C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	dcrat

Executes dropped EXE 3 IoCs

Processes:

webbroker.exewebbroker.exefontdrvhost.exe

pid process

3644 webbroker.exe
3624 webbroker.exe
4432 fontdrvhost.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

webbroker.exewebbroker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Desktop\\winlogon.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\Setup\\State\\taskhostw.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\PLA\\System\\RuntimeBroker.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\odt\\lsass.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Desktop\\winlogon.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\Searches\\System.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\Searches\\System.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\Setup\\State\\taskhostw.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\odt\\lsass.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\odt\\ShellExperienceHost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\odt\\ShellExperienceHost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\PLA\\System\\RuntimeBroker.exe\""	webbroker.exe

Drops file in Program Files directory 2 IoCs

Processes:

webbroker.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	webbroker.exe
File created	C:\Program Files (x86)\Windows Mail\5b884080fd4f94	webbroker.exe

Drops file in Windows directory 4 IoCs

Processes:

webbroker.exewebbroker.exe

description	ioc	process
File created	C:\Windows\PLA\System\RuntimeBroker.exe	webbroker.exe
File created	C:\Windows\PLA\System\9e8d7a4ca61bd9	webbroker.exe
File created	C:\Windows\Setup\State\taskhostw.exe	webbroker.exe
File created	C:\Windows\Setup\State\ea9f0e6c9e2dcd	webbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
5036	schtasks.exe
3900	schtasks.exe
2192	schtasks.exe
4960	schtasks.exe
4936	schtasks.exe
4140	schtasks.exe
2392	schtasks.exe
1364	schtasks.exe
3460	schtasks.exe
4904	schtasks.exe
2772	schtasks.exe
2428	schtasks.exe
2856	schtasks.exe
4568	schtasks.exe
4992	schtasks.exe
4724	schtasks.exe
1412	schtasks.exe
2964	schtasks.exe
4784	schtasks.exe
3628	schtasks.exe
4588	schtasks.exe

Modifies registry class 4 IoCs

Processes:

fontdrvhost.exeAnal.scrwebbroker.exewebbroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	Anal.scr
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	webbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	webbroker.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

webbroker.exepowershell.exepowershell.exepowershell.exewebbroker.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exe

pid	process
3644	webbroker.exe
3528	powershell.exe
3744	powershell.exe
3996	powershell.exe
3996	powershell.exe
3528	powershell.exe
3744	powershell.exe
3996	powershell.exe
3528	powershell.exe
3744	powershell.exe
3624	webbroker.exe
3624	webbroker.exe
3624	webbroker.exe
3624	webbroker.exe
3624	webbroker.exe
4232	powershell.exe
4288	powershell.exe
4256	powershell.exe
3192	powershell.exe
2160	powershell.exe
1836	powershell.exe
3192	powershell.exe
4256	powershell.exe
3192	powershell.exe
4232	powershell.exe
4288	powershell.exe
2160	powershell.exe
1836	powershell.exe
4256	powershell.exe
4232	powershell.exe
4288	powershell.exe
2160	powershell.exe
1836	powershell.exe
4432	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

webbroker.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3644	webbroker.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeIncreaseQuotaPrivilege	3996	powershell.exe
Token: SeSecurityPrivilege	3996	powershell.exe
Token: SeTakeOwnershipPrivilege	3996	powershell.exe
Token: SeLoadDriverPrivilege	3996	powershell.exe
Token: SeSystemProfilePrivilege	3996	powershell.exe
Token: SeSystemtimePrivilege	3996	powershell.exe
Token: SeProfSingleProcessPrivilege	3996	powershell.exe
Token: SeIncBasePriorityPrivilege	3996	powershell.exe
Token: SeCreatePagefilePrivilege	3996	powershell.exe
Token: SeBackupPrivilege	3996	powershell.exe
Token: SeRestorePrivilege	3996	powershell.exe
Token: SeShutdownPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeSystemEnvironmentPrivilege	3996	powershell.exe
Token: SeRemoteShutdownPrivilege	3996	powershell.exe
Token: SeUndockPrivilege	3996	powershell.exe
Token: SeManageVolumePrivilege	3996	powershell.exe
Token: 33	3996	powershell.exe
Token: 34	3996	powershell.exe
Token: 35	3996	powershell.exe
Token: 36	3996	powershell.exe
Token: SeIncreaseQuotaPrivilege	3528	powershell.exe
Token: SeSecurityPrivilege	3528	powershell.exe
Token: SeTakeOwnershipPrivilege	3528	powershell.exe
Token: SeLoadDriverPrivilege	3528	powershell.exe
Token: SeSystemProfilePrivilege	3528	powershell.exe
Token: SeSystemtimePrivilege	3528	powershell.exe
Token: SeProfSingleProcessPrivilege	3528	powershell.exe
Token: SeIncBasePriorityPrivilege	3528	powershell.exe
Token: SeCreatePagefilePrivilege	3528	powershell.exe
Token: SeBackupPrivilege	3528	powershell.exe
Token: SeRestorePrivilege	3528	powershell.exe
Token: SeShutdownPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeSystemEnvironmentPrivilege	3528	powershell.exe
Token: SeRemoteShutdownPrivilege	3528	powershell.exe
Token: SeUndockPrivilege	3528	powershell.exe
Token: SeManageVolumePrivilege	3528	powershell.exe
Token: 33	3528	powershell.exe
Token: 34	3528	powershell.exe
Token: 35	3528	powershell.exe
Token: 36	3528	powershell.exe
Token: SeIncreaseQuotaPrivilege	3744	powershell.exe
Token: SeSecurityPrivilege	3744	powershell.exe
Token: SeTakeOwnershipPrivilege	3744	powershell.exe
Token: SeLoadDriverPrivilege	3744	powershell.exe
Token: SeSystemProfilePrivilege	3744	powershell.exe
Token: SeSystemtimePrivilege	3744	powershell.exe
Token: SeProfSingleProcessPrivilege	3744	powershell.exe
Token: SeIncBasePriorityPrivilege	3744	powershell.exe
Token: SeCreatePagefilePrivilege	3744	powershell.exe
Token: SeBackupPrivilege	3744	powershell.exe
Token: SeRestorePrivilege	3744	powershell.exe
Token: SeShutdownPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeSystemEnvironmentPrivilege	3744	powershell.exe
Token: SeRemoteShutdownPrivilege	3744	powershell.exe
Token: SeUndockPrivilege	3744	powershell.exe
Token: SeManageVolumePrivilege	3744	powershell.exe
Token: 33	3744	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

Anal.scrWScript.execmd.exewebbroker.execmd.exewebbroker.execmd.exefontdrvhost.exe

description	pid	process	target process
PID 2588 wrote to memory of 2684	2588	Anal.scr	WScript.exe
PID 2588 wrote to memory of 2684	2588	Anal.scr	WScript.exe
PID 2588 wrote to memory of 2684	2588	Anal.scr	WScript.exe
PID 2684 wrote to memory of 4544	2684	WScript.exe	cmd.exe
PID 2684 wrote to memory of 4544	2684	WScript.exe	cmd.exe
PID 2684 wrote to memory of 4544	2684	WScript.exe	cmd.exe
PID 4544 wrote to memory of 3644	4544	cmd.exe	webbroker.exe
PID 4544 wrote to memory of 3644	4544	cmd.exe	webbroker.exe
PID 3644 wrote to memory of 3528	3644	webbroker.exe	powershell.exe
PID 3644 wrote to memory of 3528	3644	webbroker.exe	powershell.exe
PID 3644 wrote to memory of 3744	3644	webbroker.exe	powershell.exe
PID 3644 wrote to memory of 3744	3644	webbroker.exe	powershell.exe
PID 3644 wrote to memory of 3996	3644	webbroker.exe	powershell.exe
PID 3644 wrote to memory of 3996	3644	webbroker.exe	powershell.exe
PID 3644 wrote to memory of 824	3644	webbroker.exe	cmd.exe
PID 3644 wrote to memory of 824	3644	webbroker.exe	cmd.exe
PID 824 wrote to memory of 5004	824	cmd.exe	w32tm.exe
PID 824 wrote to memory of 5004	824	cmd.exe	w32tm.exe
PID 824 wrote to memory of 3624	824	cmd.exe	webbroker.exe
PID 824 wrote to memory of 3624	824	cmd.exe	webbroker.exe
PID 3624 wrote to memory of 4232	3624	webbroker.exe	powershell.exe
PID 3624 wrote to memory of 4232	3624	webbroker.exe	powershell.exe
PID 3624 wrote to memory of 4288	3624	webbroker.exe	powershell.exe
PID 3624 wrote to memory of 4288	3624	webbroker.exe	powershell.exe
PID 3624 wrote to memory of 4256	3624	webbroker.exe	powershell.exe
PID 3624 wrote to memory of 4256	3624	webbroker.exe	powershell.exe
PID 3624 wrote to memory of 2160	3624	webbroker.exe	powershell.exe
PID 3624 wrote to memory of 2160	3624	webbroker.exe	powershell.exe
PID 3624 wrote to memory of 3192	3624	webbroker.exe	powershell.exe
PID 3624 wrote to memory of 3192	3624	webbroker.exe	powershell.exe
PID 3624 wrote to memory of 1836	3624	webbroker.exe	powershell.exe
PID 3624 wrote to memory of 1836	3624	webbroker.exe	powershell.exe
PID 3624 wrote to memory of 4024	3624	webbroker.exe	cmd.exe
PID 3624 wrote to memory of 4024	3624	webbroker.exe	cmd.exe
PID 4024 wrote to memory of 3848	4024	cmd.exe	w32tm.exe
PID 4024 wrote to memory of 3848	4024	cmd.exe	w32tm.exe
PID 4024 wrote to memory of 4432	4024	cmd.exe	fontdrvhost.exe
PID 4024 wrote to memory of 4432	4024	cmd.exe	fontdrvhost.exe
PID 4432 wrote to memory of 4876	4432	fontdrvhost.exe	WScript.exe
PID 4432 wrote to memory of 4876	4432	fontdrvhost.exe	WScript.exe
PID 4432 wrote to memory of 1900	4432	fontdrvhost.exe	WScript.exe
PID 4432 wrote to memory of 1900	4432	fontdrvhost.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\Belle Delphine Nudes Leaked!\Anal.scr
"C:\Users\Admin\AppData\Local\Temp\Belle Delphine Nudes Leaked!\Anal.scr" /S
1⤵
- DcRat
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\SurrogateagentsavesDll\rh7k9gt.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\SurrogateagentsavesDll\2nvHsNHUhqkINTDaJO.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4544

C:\SurrogateagentsavesDll\webbroker.exe
"C:\SurrogateagentsavesDll\webbroker.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateagentsavesDll\webbroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\System\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u3sYTpaNrj.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:5004

C:\SurrogateagentsavesDll\webbroker.exe
"C:\SurrogateagentsavesDll\webbroker.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateagentsavesDll\webbroker.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\lsass.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\System.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\winlogon.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\taskhostw.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bWJ08PThl7.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:3848

C:\Program Files (x86)\Windows Mail\fontdrvhost.exe
"C:\Program Files (x86)\Windows Mail\fontdrvhost.exe"
8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81a24248-d4dc-42a1-adbd-324718c80131.vbs"
9⤵
PID:4876

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fab18bd-2373-4892-8a8a-e83cad55836f.vbs"
9⤵
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\odt\ShellExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\System\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\PLA\System\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\System\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\odt\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Searches\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Setup\State\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\fontdrvhost.exe
Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\Program Files (x86)\Windows Mail\fontdrvhost.exe
Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\2nvHsNHUhqkINTDaJO.bat
Filesize
41B

MD5
d9fbba17a660eee76f5e6556e7f00ccc

SHA1
5e40c6de4f9a1d2dae42a33902120af6c561f631

SHA256
bed8275c849c71818fa90791dd5b71514a46a82990a7e04a3092dc7c761d1f62

SHA512
c3f484fbe0b3461335b6aa6fe8ec509044e853edf15a514e3d2d33bd5370d9566b21f03cc0e949ec9a6a91c2abeb7f30dc741b33522548b75c056384f1344955

Download Submit
C:\SurrogateagentsavesDll\rh7k9gt.vbe
Filesize
217B

MD5
243fd9d2bb97513854d1025a6727a5e4

SHA1
ab45973af5a26c54821b6897043958ecbf5683b3

SHA256
38a0c3d04ec79e01ecc452d0afb95ac1f419472d9abbd9ebde4b30b94da6509b

SHA512
da630c8c29ba43e8929ec89ba525930cceca5f580d338ca8337dc1be9cb41fe11ba7c7f4ab658407552b7d5ce2929fd56f86739bd76124e35a0110d407c6faeb

Download Submit
C:\SurrogateagentsavesDll\webbroker.exe
Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\webbroker.exe
Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\webbroker.exe
Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\webbroker.exe.log
Filesize
1KB

MD5
430a3e587f99c7640a58a042ce63bdd6

SHA1
5d11d6b74e56cf622796971b8f57f57ca37592db

SHA256
a087c10187c77ec487d0dcce45d36d5b1ff44f063aba489a17937f041de70bf7

SHA512
0b2422fceade7f32cabf29cbb658663ec6f05c977435f66d1bd80c99ae0043e0d95f1bfafa4ec4fe84bc77a1a3b45bf38e84ce8737a6cf2b25bad4e37af0797d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
51c357e69e676468d780be08a12d5558

SHA1
abf5b0a474d201158163dab5b654a16d8af26d53

SHA256
beb645e34365633e3dd67082070bc7b59ace6e9341acf9ce579aaa0d7c8dfe7a

SHA512
f31e6b910dff8a78932b75b1570eb0aed7caea39f269325d7362ea4edffe89281164ff6fbfdbd3bf7e0f2cbe4cf9217f54a1bd474140d8ddba67ddba1b48a198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
51c357e69e676468d780be08a12d5558

SHA1
abf5b0a474d201158163dab5b654a16d8af26d53

SHA256
beb645e34365633e3dd67082070bc7b59ace6e9341acf9ce579aaa0d7c8dfe7a

SHA512
f31e6b910dff8a78932b75b1570eb0aed7caea39f269325d7362ea4edffe89281164ff6fbfdbd3bf7e0f2cbe4cf9217f54a1bd474140d8ddba67ddba1b48a198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
51c357e69e676468d780be08a12d5558

SHA1
abf5b0a474d201158163dab5b654a16d8af26d53

SHA256
beb645e34365633e3dd67082070bc7b59ace6e9341acf9ce579aaa0d7c8dfe7a

SHA512
f31e6b910dff8a78932b75b1570eb0aed7caea39f269325d7362ea4edffe89281164ff6fbfdbd3bf7e0f2cbe4cf9217f54a1bd474140d8ddba67ddba1b48a198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c80a0422405af45a924822942faa5352

SHA1
4f010c56c817731b3b46b227cd67f590e064a3eb

SHA256
c74333f7ffb6081e164cf17f5d3008d9b29655aed344b0acad9281426fedceb9

SHA512
89bf298dd1832e5a6e3de91a3d63b199e323ebeff5c7a6ff83039b3ed5429717cc780d69ab7b9e5f4cc26b4e7f540fa40eb1472b145ee4a0645d2346c757566b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
66bd72625953ad3e8d6d063659e84213

SHA1
e25b5cc7b2f8f9fdd30f84434f6346be42e596aa

SHA256
4ab0c0c3511e0550f66783fcfadf8b0b60fe166fda704d39d174341caef6af5a

SHA512
5b405e52ea03171f5e79518a723b933d688cfc3d5ddf202b3476c29a346e745aa4f23d0fc41c2d592f7619f920c71876adf902ca8c86ae8f96c3e9304b81cfe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6e2e856051122acbef99e8dd1eae01bf

SHA1
6f710610132a0bd7f9dc1c0704db13cc4b1e6334

SHA256
6ced23eda6ded97c674db5b7007ae55307a59ce44d854e5b2204ba401837c3cf

SHA512
8897535db656c2bec47408802d505735e3c5f667170167050166792f1933c3751fb011cc48cb04b5f8891917aaee6400451dd024e6b46037aaa62462282e597f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
48d9a869735b653124a35a5d836249aa

SHA1
2f4c62398ef849a3a25b26cb361d4080830d106c

SHA256
1f1ab50b38999cc8999eacf9966820478944144d52dfbd31171adaca792f12d4

SHA512
5c163aa153d123609801747ea5a310d6b7142bda6fdbb7303d1512dbd105b17e444016d2f1ab511d9e8de7c212452a6bda8c9972319ce08f5db65b8654727081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fbfe3d33dba03884926d70894397a1be

SHA1
baf0b7a4cbc3675af2d468207fcc435ddf7a60b3

SHA256
8921756c2c2c956aed5c990c066eadd76a76d8c4d175db5caca38c3319ef529c

SHA512
67b6023a97d1589bfbd9eafe2e8d80bff681e466c4475aeed9725af737b9157d0ba947394a71bc5975721056cbb7390ad3d455edb68db374050b7f017c810c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fab18bd-2373-4892-8a8a-e83cad55836f.vbs
Filesize
503B

MD5
483d34d735cd0842d2782796d964c99f

SHA1
aa933196c8917aadb9fd2c469a302cc29d6ad34a

SHA256
e6be1c83d046752ffb1f7c8b2455f648604db7acbf874518b2d6163a81f36979

SHA512
4de3247ec8bc287e753e45fa6aa622126a71c999578d37174b18f96a1d18eab7721d8947ec6a40e515c6283308108b2aa02be2a58053f3a84d77fd92c30098e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\81a24248-d4dc-42a1-adbd-324718c80131.vbs
Filesize
727B

MD5
cb138bf1552308a006b58bf9a8cd7184

SHA1
7b1df606147da790bb65094157e59b4c97a8ed14

SHA256
c5d4fb3035a776c503243b8146760507b7b8a2c49da2e5d2af7165aa454768dc

SHA512
0f28abb9ea2641f05543f5883fa2c2e41d7ab6c078baefa04b23df461ba9b6b9e1ab33ec8e9c8c677017f724c9c29ef7b4bc6afad7094a7bef8028da6b927e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bWJ08PThl7.bat
Filesize
216B

MD5
21a736b73e06817ae338088c11fc3b91

SHA1
d9623aa4409111c9cdbda78eaa75c87cb0168c35

SHA256
b92ce015cfa2bd09a04ae1041feac911d11b24672218072414590307deae2a22

SHA512
ecd15cd419139006c7b51de7015abcc433e10b062101f2a6fa45206b3ab10acec32fc3bd0e45ea864d43c3cb1916cff8cfd96cbffee359d8d447805a7d615f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3sYTpaNrj.bat
Filesize
204B

MD5
524358fae7e97c761291ab50d396c972

SHA1
05a2b3301639ac6c0813dfbba94c043c704291e9

SHA256
8b1d0967061a4b439aef639059ec3df847cc52ef6fbfbff0e0a6f107c2fa5337

SHA512
44875e0e61be5b8d57d5ca33e24eba5894040777ecae0a8b59ff2122d9970aaba85059cc118b1e4f928dca1b2000a535a173db6350198795090de9455b7c5342

Download Submit
memory/824-316-0x0000000000000000-mapping.dmp

Download
memory/1836-426-0x0000000000000000-mapping.dmp

Download
memory/1900-639-0x0000000000000000-mapping.dmp

Download
memory/2160-424-0x0000000000000000-mapping.dmp

Download
memory/2588-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-186-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-185-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-184-0x0000000000000000-mapping.dmp

Download
memory/3192-425-0x0000000000000000-mapping.dmp

Download
memory/3528-301-0x0000000000000000-mapping.dmp

Download
memory/3528-402-0x000001D524EB0000-0x000001D524ECE000-memory.dmp

Filesize
120KB

Download
memory/3528-317-0x000001D524F20000-0x000001D524FA2000-memory.dmp

Filesize
520KB

Download
memory/3528-318-0x000001D50B0D0000-0x000001D50B0E0000-memory.dmp

Filesize
64KB

Download
memory/3624-418-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3624-415-0x0000000000000000-mapping.dmp

Download
memory/3624-420-0x000000001B0E0000-0x000000001B0F2000-memory.dmp

Filesize
72KB

Download
memory/3624-419-0x000000001B090000-0x000000001B0E6000-memory.dmp

Filesize
344KB

Download
memory/3644-296-0x0000000001600000-0x000000000160A000-memory.dmp

Filesize
40KB

Download
memory/3644-290-0x0000000001610000-0x0000000001626000-memory.dmp

Filesize
88KB

Download
memory/3644-295-0x000000001C920000-0x000000001CE46000-memory.dmp

Filesize
5.1MB

Download
memory/3644-286-0x0000000000B90000-0x0000000000E32000-memory.dmp

Filesize
2.6MB

Download
memory/3644-300-0x000000001BA10000-0x000000001BA1C000-memory.dmp

Filesize
48KB

Download
memory/3644-299-0x0000000002F20000-0x0000000002F2A000-memory.dmp

Filesize
40KB

Download
memory/3644-294-0x00000000015D0000-0x00000000015E2000-memory.dmp

Filesize
72KB

Download
memory/3644-287-0x000000001BF40000-0x000000001C042000-memory.dmp

Filesize
1.0MB

Download
memory/3644-288-0x0000000001350000-0x000000000136C000-memory.dmp

Filesize
112KB

Download
memory/3644-289-0x000000001C1A0000-0x000000001C1F0000-memory.dmp

Filesize
320KB

Download
memory/3644-298-0x0000000002F00000-0x0000000002F0C000-memory.dmp

Filesize
48KB

Download
memory/3644-291-0x0000000001380000-0x0000000001392000-memory.dmp

Filesize
72KB

Download
memory/3644-297-0x0000000001630000-0x000000000163E000-memory.dmp

Filesize
56KB

Download
memory/3644-292-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/3644-293-0x000000001C150000-0x000000001C1A6000-memory.dmp

Filesize
344KB

Download
memory/3644-283-0x0000000000000000-mapping.dmp

Download
memory/3744-319-0x0000025074970000-0x0000025074992000-memory.dmp

Filesize
136KB

Download
memory/3744-302-0x0000000000000000-mapping.dmp

Download
memory/3848-458-0x0000000000000000-mapping.dmp

Download
memory/3996-337-0x000001C646770000-0x000001C6467BA000-memory.dmp

Filesize
296KB

Download
memory/3996-322-0x000001C6465F0000-0x000001C646666000-memory.dmp

Filesize
472KB

Download
memory/3996-303-0x0000000000000000-mapping.dmp

Download
memory/4024-441-0x0000000000000000-mapping.dmp

Download
memory/4232-421-0x0000000000000000-mapping.dmp

Download
memory/4256-423-0x0000000000000000-mapping.dmp

Download
memory/4288-422-0x0000000000000000-mapping.dmp

Download
memory/4432-642-0x000000001C620000-0x000000001C660000-memory.dmp

Filesize
256KB

Download
memory/4432-637-0x000000001BCF0000-0x000000001BD02000-memory.dmp

Filesize
72KB

Download
memory/4432-621-0x0000000000000000-mapping.dmp

Download
memory/4544-260-0x0000000000000000-mapping.dmp

Download
memory/4876-638-0x0000000000000000-mapping.dmp

Download
memory/5004-325-0x0000000000000000-mapping.dmp

Download