quasar | 733431ca3726f733f13a62b56f15faaef24c5edf1822deafee856fed28f31c44

Analysis

max time kernel
7s
max time network
87s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02/05/2023, 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DcRat.exe
Size

15.6MB
MD5

3c072e1234fdebc749eaad0921a0f890
SHA1

0e1b63cc53414304bed9ab7331afcc8e695b4d90
SHA256

733431ca3726f733f13a62b56f15faaef24c5edf1822deafee856fed28f31c44
SHA512

474adfe31585930acb645c61e6f4feb511e59c4b7f3e094dc604ec5fdad74ff95db1aaa124991d4a0cd11f4306a2409a8520a0a4a7b68b85bc44512ebb04107e
SSDEEP

196608:9j3DJU+Pp3IyrGM4fKotfZFB2gaNIsNNNNKmvN8rNNNNNNNNNNHbL7aIXM1B7Z0g:5DJ/p3ImmSmlT81Bd+3G6+

Score

10^/10

quasar blitzed evasion spyware themida trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Blitzed

66.63.167.167:55640

Mutex

QSR_MUTEX_dhO8sDJlx2QYARgcR5

Attributes

encryption_key
r3yvBoWbISqrrgZU7Zdn
install_name
wsappx.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security notification
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 30 IoCs

resource	yara_rule
behavioral1/memory/1084-75-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1208-76-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1696-79-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1084-80-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1208-81-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1696-82-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1428-89-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1428-91-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1340-94-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1340-97-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1620-102-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1620-103-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/764-119-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/764-118-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1740-125-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1740-126-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1460-127-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1460-129-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1692-153-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1692-154-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1972-168-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1972-167-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1712-176-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1712-177-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1156-188-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/2032-194-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1904-195-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1156-196-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/2032-209-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar
behavioral1/memory/1904-218-0x0000000000A50000-0x00000000012CC000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AWCC.SERVICE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AWCC.SERVICE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AWCC.SERVICE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AWCC.SERVICE.EXE

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AWCC.SERVICE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AWCC.SERVICE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AWCC.SERVICE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AWCC.SERVICE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AWCC.SERVICE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AWCC.SERVICE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AWCC.SERVICE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AWCC.SERVICE.EXE

Executes dropped EXE 4 IoCs

pid	Process
1084	AWCC.SERVICE.EXE
1208	AWCC.SERVICE.EXE
1696	AWCC.SERVICE.EXE
1428	AWCC.SERVICE.EXE

Loads dropped DLL 5 IoCs

pid	Process
1972	DcRat.exe
472	DCRAT.EXE
1204	DCRAT.EXE
1536	DCRAT.EXE
1904	AWCC.SERVICE.EXE

Themida packer 64 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000500000000b46e-56.dat	themida
behavioral1/files/0x000500000000b46e-59.dat	themida
behavioral1/files/0x000500000000b46e-62.dat	themida
behavioral1/files/0x000500000000b46e-65.dat	themida
behavioral1/files/0x000500000000b46e-64.dat	themida
behavioral1/files/0x000500000000b46e-69.dat	themida
behavioral1/files/0x000500000000b46e-70.dat	themida
behavioral1/memory/1084-75-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/memory/1208-76-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/memory/1696-79-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/memory/1084-80-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/files/0x000500000000b46e-78.dat	themida
behavioral1/memory/1208-81-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/files/0x000500000000b46e-77.dat	themida
behavioral1/memory/1696-82-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/files/0x000500000000b46e-86.dat	themida
behavioral1/files/0x000500000000b46e-87.dat	themida
behavioral1/memory/1428-89-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/memory/1428-91-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/memory/1340-94-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/files/0x000500000000b46e-95.dat	themida
behavioral1/memory/1340-97-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/files/0x000500000000b46e-96.dat	themida
behavioral1/memory/1620-102-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/memory/1620-103-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/files/0x000500000000b46e-104.dat	themida
behavioral1/files/0x000500000000b46e-105.dat	themida
behavioral1/files/0x000500000000b46e-109.dat	themida
behavioral1/files/0x000500000000b46e-107.dat	themida
behavioral1/files/0x000500000000b46e-111.dat	themida
behavioral1/files/0x000500000000b46e-112.dat	themida
behavioral1/files/0x000500000000b46e-108.dat	themida
behavioral1/files/0x000500000000b46e-116.dat	themida
behavioral1/files/0x000500000000b46e-106.dat	themida
behavioral1/files/0x000500000000b46e-110.dat	themida
behavioral1/files/0x000500000000b46e-117.dat	themida
behavioral1/files/0x000500000000b46e-114.dat	themida
behavioral1/memory/764-119-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/memory/764-118-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/files/0x000500000000b46e-120.dat	themida
behavioral1/memory/1740-125-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/memory/1740-126-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/memory/1460-127-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/files/0x000500000000b46e-128.dat	themida
behavioral1/memory/1460-129-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/memory/1692-153-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/memory/1692-154-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/files/0x000500000000b46e-163.dat	themida
behavioral1/memory/1972-168-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/memory/1972-167-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/files/0x000500000000b46e-169.dat	themida
behavioral1/files/0x000500000000b46e-166.dat	themida
behavioral1/files/0x000500000000b46e-158.dat	themida
behavioral1/memory/1712-176-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/memory/1712-177-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/files/0x000500000000b46e-187.dat	themida
behavioral1/memory/1156-188-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/memory/2032-194-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/files/0x000500000000b46e-190.dat	themida
behavioral1/files/0x000500000000b46e-192.dat	themida
behavioral1/memory/1904-195-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/files/0x000500000000b46e-199.dat	themida
behavioral1/memory/1156-196-0x0000000000A50000-0x00000000012CC000-memory.dmp	themida
behavioral1/files/0x000500000000b46e-211.dat	themida

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AWCC.SERVICE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AWCC.SERVICE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AWCC.SERVICE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AWCC.SERVICE.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1084	AWCC.SERVICE.EXE
1208	AWCC.SERVICE.EXE
1696	AWCC.SERVICE.EXE
1428	AWCC.SERVICE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2008	2344	WerFault.exe	61
2544	2668	WerFault.exe	71
1440	2032	WerFault.exe	43
3244	1208	WerFault.exe	29
3260	1696	WerFault.exe	31
3252	1084	WerFault.exe	27
3788	2904	WerFault.exe	81
3804	2944	WerFault.exe	82
3836	1692	WerFault.exe	53
3852	2468	WerFault.exe	63
3868	1972	WerFault.exe	48
3904	764	WerFault.exe	51
4000	1904	WerFault.exe	57
3224	1740	WerFault.exe	42
3364	1156	WerFault.exe	55

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
700	PING.EXE
3436	PING.EXE
3424	PING.EXE
3096	PING.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1084	1972	DcRat.exe	27
PID 1972 wrote to memory of 1084	1972	DcRat.exe	27
PID 1972 wrote to memory of 1084	1972	DcRat.exe	27
PID 1972 wrote to memory of 1084	1972	DcRat.exe	27
PID 1972 wrote to memory of 472	1972	AWCC.SERVICE.EXE	28
PID 1972 wrote to memory of 472	1972	AWCC.SERVICE.EXE	28
PID 1972 wrote to memory of 472	1972	AWCC.SERVICE.EXE	28
PID 1972 wrote to memory of 472	1972	AWCC.SERVICE.EXE	28
PID 472 wrote to memory of 1208	472	DCRAT.EXE	29
PID 472 wrote to memory of 1208	472	DCRAT.EXE	29
PID 472 wrote to memory of 1208	472	DCRAT.EXE	29
PID 472 wrote to memory of 1208	472	DCRAT.EXE	29
PID 472 wrote to memory of 1204	472	DCRAT.EXE	30
PID 472 wrote to memory of 1204	472	DCRAT.EXE	30
PID 472 wrote to memory of 1204	472	DCRAT.EXE	30
PID 472 wrote to memory of 1204	472	DCRAT.EXE	30
PID 1204 wrote to memory of 1696	1204	DCRAT.EXE	31
PID 1204 wrote to memory of 1696	1204	DCRAT.EXE	31
PID 1204 wrote to memory of 1696	1204	DCRAT.EXE	31
PID 1204 wrote to memory of 1696	1204	DCRAT.EXE	31
PID 1204 wrote to memory of 1536	1204	DCRAT.EXE	32
PID 1204 wrote to memory of 1536	1204	DCRAT.EXE	32
PID 1204 wrote to memory of 1536	1204	DCRAT.EXE	32
PID 1204 wrote to memory of 1536	1204	DCRAT.EXE	32
PID 1536 wrote to memory of 1428	1536	DCRAT.EXE	34
PID 1536 wrote to memory of 1428	1536	DCRAT.EXE	34
PID 1536 wrote to memory of 1428	1536	DCRAT.EXE	34
PID 1536 wrote to memory of 1428	1536	DCRAT.EXE	34
PID 1536 wrote to memory of 1904	1536	DCRAT.EXE	57
PID 1536 wrote to memory of 1904	1536	DCRAT.EXE	57
PID 1536 wrote to memory of 1904	1536	DCRAT.EXE	57
PID 1536 wrote to memory of 1904	1536	DCRAT.EXE	57
PID 1904 wrote to memory of 1340	1904	AWCC.SERVICE.EXE	35
PID 1904 wrote to memory of 1340	1904	AWCC.SERVICE.EXE	35
PID 1904 wrote to memory of 1340	1904	AWCC.SERVICE.EXE	35
PID 1904 wrote to memory of 1340	1904	AWCC.SERVICE.EXE	35

C:\Users\Admin\AppData\Local\Temp\DcRat.exe
"C:\Users\Admin\AppData\Local\Temp\DcRat.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
  "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 680
    3⤵
    - Program crash
    PID:3252
- C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
  "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
    "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 684
      4⤵
      Program crash
      PID:3244
- - C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
    "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
      "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 812
        5⤵
        Program crash
        
        PID:3260
  - - C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
      "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        5⤵
        
        PID:1904
      - C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        6⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ulCW0tYA7rVp.bat" "
        7⤵
        
        PID:3748
      - C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        6⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        7⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        8⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        9⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        9⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\v7xjPvAaKiv5.bat" "
        10⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        8⤵
        
        PID:764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 788
        9⤵
        Program crash
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        7⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ifXu0nfbHRfd.bat" "
        8⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:3436
    - - C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1428
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5iTXdoR3TBsN.bat" "
        6⤵
        
        PID:3156

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
"C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
1⤵
PID:1860
- C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
  "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 720
    3⤵
    - Program crash
    PID:1440
- C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
  "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
  2⤵
  PID:908
- - C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
    "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
    3⤵
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
      "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 428
        5⤵
        Program crash
        
        PID:3868
  - - C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
      "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
      4⤵
      PID:660
    - - C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        5⤵
        
        PID:580
      - C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        6⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        7⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        8⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ypAPZ7FkCaUe.bat" "
        9⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        8⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        9⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        10⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        11⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        12⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        12⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        13⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        14⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        15⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        16⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        17⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        18⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SXMq4RhNGNtZ.bat" "
        19⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        18⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        19⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        20⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 692
        21⤵
        Program crash
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        20⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        21⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wUhxpxn0WZMK.bat" "
        22⤵
        
        PID:960
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        23⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SZTRiTFuOkG7.bat" "
        24⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        21⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        22⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        23⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        24⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        25⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        26⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        27⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        28⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        29⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        30⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        31⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        32⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        33⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        34⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AovZYve9jYSN.bat" "
        35⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        34⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        35⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DCRAT.EXE"
        35⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        33⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aU11QeRgtBHA.bat" "
        34⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        32⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pqL8cEcp8nM2.bat" "
        33⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        31⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cgYPqHmsgG6k.bat" "
        32⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        33⤵
        Runs ping.exe
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        30⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OPTwtmR03CHc.bat" "
        31⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        29⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CyYFqYSXCZcL.bat" "
        30⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        28⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4thNdDiIswT3.bat" "
        29⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        27⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wdV7yFox97tP.bat" "
        28⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        26⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Oqe5kAlNLmGi.bat" "
        27⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        25⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yXAUOsZCkHfx.bat" "
        26⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        24⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\frnoxeZUHCZN.bat" "
        25⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        23⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\muQHX8t7JoxB.bat" "
        24⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        22⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\74wmkZVuTrwg.bat" "
        23⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        19⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 692
        20⤵
        Program crash
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        17⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HH3YmFX5hZrz.bat" "
        18⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        16⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eyEyzEi7gTeU.bat" "
        17⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        15⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCh6pg7L1Hqj.bat" "
        16⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        17⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        14⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 704
        15⤵
        Program crash
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        13⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCh6pg7L1Hqj.bat" "
        14⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        11⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        10⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 812
        11⤵
        Program crash
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        9⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 700
        10⤵
        Program crash
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 712
        8⤵
        Program crash
        
        PID:4000
      - C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        6⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 808
        7⤵
        Program crash
        
        PID:3364
    - - C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
        5⤵
        
        PID:1692
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 448
        6⤵
        Program crash
        
        PID:3836
- - C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
    "C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
    3⤵
    PID:1712
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\5iTXdoR3TBsN.bat" "
      4⤵
      PID:3092

C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE
"C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE"
1⤵
PID:1740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 792
  2⤵
  - Program crash
  PID:3224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
\Users\Admin\AppData\Local\Temp\AWCC.SERVICE.EXE

Filesize
3.2MB

MD5
b6478e057844b63b3c8c3b12eb0f2bde

SHA1
9246b0c155053334f123e5e560be01c8dd8e89d4

SHA256
9d98e9c09b292e0493af778a8328e0b693d93995042b33af77fbe9a70b85a9bb

SHA512
9ef92a6d163feefa8b1584f2f78c20ffb585cdc01cb498ca80d029e37e6085009e8d4efba3a77ad1eb26349d4678a66e098c58de6fa35df6958f90b5e7379cfc

Download Submit
memory/764-118-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/764-135-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/764-147-0x00000000054B0000-0x00000000054F0000-memory.dmp

Filesize
256KB

Download
memory/764-119-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1084-75-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1084-143-0x0000000005100000-0x0000000005140000-memory.dmp

Filesize
256KB

Download
memory/1084-80-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1084-61-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1156-196-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1156-184-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1156-188-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1156-216-0x00000000056B0000-0x00000000056F0000-memory.dmp

Filesize
256KB

Download
memory/1204-71-0x00000000038F0000-0x000000000416C000-memory.dmp

Filesize
8.5MB

Download
memory/1208-72-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1208-76-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1208-81-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1208-145-0x00000000053F0000-0x0000000005430000-memory.dmp

Filesize
256KB

Download
memory/1340-94-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1340-146-0x0000000005410000-0x0000000005450000-memory.dmp

Filesize
256KB

Download
memory/1340-97-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1340-93-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1428-144-0x0000000000A00000-0x0000000000A40000-memory.dmp

Filesize
256KB

Download
memory/1428-91-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1428-89-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1428-88-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1460-140-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1460-129-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1460-127-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1620-101-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1620-103-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1620-102-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1648-137-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1648-138-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1692-182-0x0000000005340000-0x0000000005380000-memory.dmp

Filesize
256KB

Download
memory/1692-153-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1692-154-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1692-148-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1696-84-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1696-79-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1696-82-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1712-183-0x0000000005400000-0x0000000005440000-memory.dmp

Filesize
256KB

Download
memory/1712-141-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1712-176-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1712-177-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1740-125-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1740-149-0x0000000002D70000-0x0000000002DB0000-memory.dmp

Filesize
256KB

Download
memory/1740-136-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1740-126-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1864-189-0x00000000036D0000-0x0000000003F4C000-memory.dmp

Filesize
8.5MB

Download
memory/1904-218-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1904-195-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1904-186-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1972-60-0x00000000039D0000-0x000000000424C000-memory.dmp

Filesize
8.5MB

Download
memory/1972-150-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1972-167-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1972-168-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/1972-185-0x0000000005380000-0x00000000053C0000-memory.dmp

Filesize
256KB

Download
memory/2032-209-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/2032-194-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/2032-139-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/2296-213-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/2344-214-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/2468-219-0x0000000000A50000-0x00000000012CC000-memory.dmp

Filesize
8.5MB

Download
memory/2480-215-0x0000000003540000-0x0000000003DBC000-memory.dmp

Filesize
8.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads