dcrat | f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70

Analysis

max time kernel
37s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nonagon.exe
Size

23KB
MD5

1b554731ea6b94e44ab6fe7ec45eb153
SHA1

1849707450548f79b4f8d941745c2c72199a7f00
SHA256

f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70
SHA512

96880df0242f41380e2877a3cac119e14ab062c4892040a3d8c9fe5fbc58ee6681729d1a1ca5c62427d4ad5ca76be1167d8811e9b4c35656e0c1000d660c06c1
SSDEEP

384:LD5Ry1Yg5MsZHalPXhZAiWGVDNr2mtbQ2E65wMxsWSjRSiKM3EMtR:zymgSCh2Ey/GWSjRSiKM3Nt

Score

10^/10

dcrat gurcu phemedrone umbral credential_access discovery execution infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7940307483:AAEmmDBRKx8kRMTrlD986B7qCulYd2jfQHw/sendDocument

Extracted

Family

gurcu

https://api.telegram.org/bot7940307483:AAEmmDBRKx8kRMTrlD986B7qCulYd2jfQHw/sendDocumen

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cb4-35.dat	family_umbral
behavioral1/memory/2632-62-0x000001E4945C0000-0x000001E494600000-memory.dmp	family_umbral

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3816	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	3816	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	3816	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	3816	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	3816	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	3816	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	3816	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	3816	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	3816	schtasks.exe	92

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000023caf-16.dat	dcrat
behavioral1/files/0x0007000000023cb2-154.dat	dcrat
behavioral1/memory/2084-156-0x00000000001F0000-0x00000000002E2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4544	powershell.exe
5024	powershell.exe
768	powershell.exe
2168	powershell.exe
4492	powershell.exe
2168	powershell.exe
2524	powershell.exe
4384	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	wtf1.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	wtf1.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DebugTracker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PING.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RarExtPackage.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RarExtPackage.exe

Executes dropped EXE 11 IoCs

pid	Process
2184	RarExtPackage.exe
2632	wtf1.exe
3388	wtf.exe
4504	cs2.exe
2084	DebugTracker.exe
1412	PING.exe
3464	RarExtPackage.exe
3052	wtf1.exe
2152	wtf.exe
2812	cs2.exe
2920	RarExtPackage.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
98	discord.com
99	discord.com
47	discord.com
48	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	ip-api.com
82	ip-api.com

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nvidia = "C:\\Program Files\\WinRAR\\RarExtPackage.exe"	Nonagon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nvidia = "C:\\Program Files\\WinRAR\\RarExtPackage.exe"	Nonagon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nvidia = "C:\\Program Files\\WinRAR\\RarExtPackage.exe"	Nonagon.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\RarExtPackage.exe	Nonagon.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.exe	Nonagon.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.exe	Nonagon.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\debug\__tmp_rar_sfx_access_check_240635140	RarExtPackage.exe
File created	C:\Windows\debug\DebugTracker.exe	RarExtPackage.exe
File created	C:\Windows\debug\VUQLBafFd1oU7p3k.vbe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\cs2.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\wtf1.exe	attrib.exe
File created	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat	RarExtPackage.exe
File opened for modification	C:\Windows\debug\DebugTracker.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\VUQLBafFd1oU7p3k.vbe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\wtf1.exe	attrib.exe
File created	C:\Windows\debug\__tmp_rar_sfx_access_check_240663203	RarExtPackage.exe
File created	C:\Windows\debug\wtf1.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat	RarExtPackage.exe
File opened for modification	C:\Windows\debug\wtf1.exe	RarExtPackage.exe
File created	C:\Windows\debug\wtf.exe	RarExtPackage.exe
File created	C:\Windows\debug\wtf1.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\wtf.exe	RarExtPackage.exe
File created	C:\Windows\debug\cs2.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\wtf1.exe	RarExtPackage.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RarExtPackage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RarExtPackage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RarExtPackage.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1412	PING.exe
988	cmd.exe
4612	PING.EXE
3856	cmd.exe
1668	PING.EXE

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4712	wmic.exe
4744	wmic.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	DebugTracker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	PING.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	RarExtPackage.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	RarExtPackage.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1668	PING.EXE
1412	PING.exe
4612	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
980	schtasks.exe
5008	schtasks.exe
2152	schtasks.exe
2408	schtasks.exe
3276	schtasks.exe
1124	schtasks.exe
3484	schtasks.exe
4236	schtasks.exe
4612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4504	cs2.exe
3388	wtf.exe
3388	wtf.exe
3388	wtf.exe
3388	wtf.exe
3388	wtf.exe
3388	wtf.exe
3388	wtf.exe
3388	wtf.exe
3388	wtf.exe
3388	wtf.exe
2632	wtf1.exe
2524	powershell.exe
2524	powershell.exe
4544	powershell.exe
4544	powershell.exe
5024	powershell.exe
5024	powershell.exe
2588	powershell.exe
2588	powershell.exe
768	powershell.exe
768	powershell.exe
2084	DebugTracker.exe
2084	DebugTracker.exe
1412	PING.exe
1412	PING.exe
1412	PING.exe
1412	PING.exe
1412	PING.exe
1412	PING.exe
1412	PING.exe
1412	PING.exe
1412	PING.exe
1412	PING.exe
2812	cs2.exe
2812	cs2.exe
2152	wtf.exe
2152	wtf.exe
2152	wtf.exe
2152	wtf.exe
2152	wtf.exe
2152	wtf.exe
2152	wtf.exe
2152	wtf.exe
2152	wtf.exe
2152	wtf.exe
2152	wtf.exe
3052	wtf1.exe
3052	wtf1.exe
4384	powershell.exe
4384	powershell.exe
4384	powershell.exe
2168	powershell.exe
2168	powershell.exe
2168	powershell.exe
4492	powershell.exe
4492	powershell.exe
4492	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3388	wtf.exe
Token: SeDebugPrivilege	2632	wtf1.exe
Token: SeDebugPrivilege	4504	cs2.exe
Token: SeIncreaseQuotaPrivilege	904	wmic.exe
Token: SeSecurityPrivilege	904	wmic.exe
Token: SeTakeOwnershipPrivilege	904	wmic.exe
Token: SeLoadDriverPrivilege	904	wmic.exe
Token: SeSystemProfilePrivilege	904	wmic.exe
Token: SeSystemtimePrivilege	904	wmic.exe
Token: SeProfSingleProcessPrivilege	904	wmic.exe
Token: SeIncBasePriorityPrivilege	904	wmic.exe
Token: SeCreatePagefilePrivilege	904	wmic.exe
Token: SeBackupPrivilege	904	wmic.exe
Token: SeRestorePrivilege	904	wmic.exe
Token: SeShutdownPrivilege	904	wmic.exe
Token: SeDebugPrivilege	904	wmic.exe
Token: SeSystemEnvironmentPrivilege	904	wmic.exe
Token: SeRemoteShutdownPrivilege	904	wmic.exe
Token: SeUndockPrivilege	904	wmic.exe
Token: SeManageVolumePrivilege	904	wmic.exe
Token: 33	904	wmic.exe
Token: 34	904	wmic.exe
Token: 35	904	wmic.exe
Token: 36	904	wmic.exe
Token: SeIncreaseQuotaPrivilege	904	wmic.exe
Token: SeSecurityPrivilege	904	wmic.exe
Token: SeTakeOwnershipPrivilege	904	wmic.exe
Token: SeLoadDriverPrivilege	904	wmic.exe
Token: SeSystemProfilePrivilege	904	wmic.exe
Token: SeSystemtimePrivilege	904	wmic.exe
Token: SeProfSingleProcessPrivilege	904	wmic.exe
Token: SeIncBasePriorityPrivilege	904	wmic.exe
Token: SeCreatePagefilePrivilege	904	wmic.exe
Token: SeBackupPrivilege	904	wmic.exe
Token: SeRestorePrivilege	904	wmic.exe
Token: SeShutdownPrivilege	904	wmic.exe
Token: SeDebugPrivilege	904	wmic.exe
Token: SeSystemEnvironmentPrivilege	904	wmic.exe
Token: SeRemoteShutdownPrivilege	904	wmic.exe
Token: SeUndockPrivilege	904	wmic.exe
Token: SeManageVolumePrivilege	904	wmic.exe
Token: 33	904	wmic.exe
Token: 34	904	wmic.exe
Token: 35	904	wmic.exe
Token: 36	904	wmic.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeIncreaseQuotaPrivilege	4848	wmic.exe
Token: SeSecurityPrivilege	4848	wmic.exe
Token: SeTakeOwnershipPrivilege	4848	wmic.exe
Token: SeLoadDriverPrivilege	4848	wmic.exe
Token: SeSystemProfilePrivilege	4848	wmic.exe
Token: SeSystemtimePrivilege	4848	wmic.exe
Token: SeProfSingleProcessPrivilege	4848	wmic.exe
Token: SeIncBasePriorityPrivilege	4848	wmic.exe
Token: SeCreatePagefilePrivilege	4848	wmic.exe
Token: SeBackupPrivilege	4848	wmic.exe
Token: SeRestorePrivilege	4848	wmic.exe
Token: SeShutdownPrivilege	4848	wmic.exe
Token: SeDebugPrivilege	4848	wmic.exe
Token: SeSystemEnvironmentPrivilege	4848	wmic.exe
Token: SeRemoteShutdownPrivilege	4848	wmic.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2804	Nonagon.exe
3464	RarExtPackage.exe
3360	Nonagon.exe
2920	RarExtPackage.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 2184	4236	Nonagon.exe	85
PID 4236 wrote to memory of 2184	4236	Nonagon.exe	85
PID 4236 wrote to memory of 2184	4236	Nonagon.exe	85
PID 2184 wrote to memory of 4016	2184	RarExtPackage.exe	86
PID 2184 wrote to memory of 4016	2184	RarExtPackage.exe	86
PID 2184 wrote to memory of 4016	2184	RarExtPackage.exe	86
PID 2184 wrote to memory of 2632	2184	RarExtPackage.exe	87
PID 2184 wrote to memory of 2632	2184	RarExtPackage.exe	87
PID 2184 wrote to memory of 3388	2184	RarExtPackage.exe	90
PID 2184 wrote to memory of 3388	2184	RarExtPackage.exe	90
PID 2184 wrote to memory of 4504	2184	RarExtPackage.exe	91
PID 2184 wrote to memory of 4504	2184	RarExtPackage.exe	91
PID 2632 wrote to memory of 904	2632	wtf1.exe	94
PID 2632 wrote to memory of 904	2632	wtf1.exe	94
PID 2632 wrote to memory of 1948	2632	wtf1.exe	98
PID 2632 wrote to memory of 1948	2632	wtf1.exe	98
PID 2632 wrote to memory of 2524	2632	wtf1.exe	100
PID 2632 wrote to memory of 2524	2632	wtf1.exe	100
PID 2632 wrote to memory of 4544	2632	wtf1.exe	102
PID 2632 wrote to memory of 4544	2632	wtf1.exe	102
PID 2632 wrote to memory of 5024	2632	wtf1.exe	104
PID 2632 wrote to memory of 5024	2632	wtf1.exe	104
PID 2632 wrote to memory of 2588	2632	wtf1.exe	106
PID 2632 wrote to memory of 2588	2632	wtf1.exe	106
PID 2632 wrote to memory of 4848	2632	wtf1.exe	108
PID 2632 wrote to memory of 4848	2632	wtf1.exe	108
PID 2632 wrote to memory of 1416	2632	wtf1.exe	110
PID 2632 wrote to memory of 1416	2632	wtf1.exe	110
PID 2632 wrote to memory of 4812	2632	wtf1.exe	112
PID 2632 wrote to memory of 4812	2632	wtf1.exe	112
PID 2632 wrote to memory of 768	2632	wtf1.exe	116
PID 2632 wrote to memory of 768	2632	wtf1.exe	116
PID 2632 wrote to memory of 4712	2632	wtf1.exe	118
PID 2632 wrote to memory of 4712	2632	wtf1.exe	118
PID 2632 wrote to memory of 3856	2632	wtf1.exe	124
PID 2632 wrote to memory of 3856	2632	wtf1.exe	124
PID 3856 wrote to memory of 1668	3856	cmd.exe	126
PID 3856 wrote to memory of 1668	3856	cmd.exe	126
PID 4016 wrote to memory of 3928	4016	WScript.exe	128
PID 4016 wrote to memory of 3928	4016	WScript.exe	128
PID 4016 wrote to memory of 3928	4016	WScript.exe	128
PID 3928 wrote to memory of 2084	3928	cmd.exe	132
PID 3928 wrote to memory of 2084	3928	cmd.exe	132
PID 2084 wrote to memory of 2284	2084	DebugTracker.exe	145
PID 2084 wrote to memory of 2284	2084	DebugTracker.exe	145
PID 2284 wrote to memory of 540	2284	cmd.exe	147
PID 2284 wrote to memory of 540	2284	cmd.exe	147
PID 2284 wrote to memory of 1412	2284	cmd.exe	152
PID 2284 wrote to memory of 1412	2284	cmd.exe	152
PID 1412 wrote to memory of 3120	1412	PING.exe	154
PID 1412 wrote to memory of 3120	1412	PING.exe	154
PID 1412 wrote to memory of 4788	1412	PING.exe	155
PID 1412 wrote to memory of 4788	1412	PING.exe	155
PID 2804 wrote to memory of 3464	2804	Nonagon.exe	161
PID 2804 wrote to memory of 3464	2804	Nonagon.exe	161
PID 2804 wrote to memory of 3464	2804	Nonagon.exe	161
PID 3464 wrote to memory of 4656	3464	RarExtPackage.exe	162
PID 3464 wrote to memory of 4656	3464	RarExtPackage.exe	162
PID 3464 wrote to memory of 4656	3464	RarExtPackage.exe	162
PID 3464 wrote to memory of 3052	3464	RarExtPackage.exe	163
PID 3464 wrote to memory of 3052	3464	RarExtPackage.exe	163
PID 3464 wrote to memory of 2152	3464	RarExtPackage.exe	164
PID 3464 wrote to memory of 2152	3464	RarExtPackage.exe	164
PID 3464 wrote to memory of 2812	3464	RarExtPackage.exe	165

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1948	attrib.exe
4492	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Nonagon.exe
"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"
1⤵
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Program Files\WinRAR\RarExtPackage.exe
  "C:\Program Files\WinRAR\RarExtPackage.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\debug\VUQLBafFd1oU7p3k.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3928
    - - C:\Windows\debug\DebugTracker.exe
        
        "C:\Windows\debug\DebugTracker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i6FNlRHyuX.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:540
        
        C:\Users\Default\Downloads\PING.exe
        
        "C:\Users\Default\Downloads\PING.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Network Configuration Discovery: Internet Connection Discovery
        Modifies registry class
        Runs ping.exe
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37c9487f-d43e-41db-b909-5c9872992134.vbs"
        8⤵
        
        PID:3120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa129181-5f0b-4eb0-b4c8-8979f37ac6b7.vbs"
        8⤵
        
        PID:4788
- - C:\Windows\debug\wtf1.exe
    "C:\Windows\debug\wtf1.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:904
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Windows\debug\wtf1.exe"
      4⤵
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\debug\wtf1.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2588
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4848
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:1416
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:768
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4712
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Windows\debug\wtf1.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:3856
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1668
- - C:\Windows\debug\wtf.exe
    "C:\Windows\debug\wtf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3388
- - C:\Windows\debug\cs2.exe
    "C:\Windows\debug\cs2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PINGP" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\PING.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PING" /sc ONLOGON /tr "'C:\Users\Default\Downloads\PING.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PINGP" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\PING.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\Nonagon.exe
"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"
1⤵
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files\WinRAR\RarExtPackage.exe
  "C:\Program Files\WinRAR\RarExtPackage.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\debug\VUQLBafFd1oU7p3k.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat" "
      4⤵
      PID:4528
    - - C:\Windows\debug\DebugTracker.exe
        
        "C:\Windows\debug\DebugTracker.exe"
        5⤵
        
        PID:1048
- - C:\Windows\debug\wtf1.exe
    "C:\Windows\debug\wtf1.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3052
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:3360
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Windows\debug\wtf1.exe"
      4⤵
      Drops file in Windows directory
      Views/modifies file attributes
      PID:4492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\debug\wtf1.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:768
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:4212
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:540
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2168
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4744
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Windows\debug\wtf1.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:988
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4612
- - C:\Windows\debug\wtf.exe
    "C:\Windows\debug\wtf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2152
- - C:\Windows\debug\cs2.exe
    "C:\Windows\debug\cs2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2812

C:\Users\Admin\AppData\Local\Temp\Nonagon.exe
"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"
1⤵
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3360
- C:\Program Files\WinRAR\RarExtPackage.exe
  "C:\Program Files\WinRAR\RarExtPackage.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2920
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\debug\VUQLBafFd1oU7p3k.vbe"
    3⤵
    PID:4812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat" "
      4⤵
      PID:4424
    - - C:\Windows\debug\DebugTracker.exe
        
        "C:\Windows\debug\DebugTracker.exe"
        5⤵
        
        PID:4172
- - C:\Windows\debug\wtf1.exe
    "C:\Windows\debug\wtf1.exe"
    3⤵
    PID:4612
- - C:\Windows\debug\wtf.exe
    "C:\Windows\debug\wtf.exe"
    3⤵
    PID:4636
- - C:\Windows\debug\cs2.exe
    "C:\Windows\debug\cs2.exe"
    3⤵
    PID:2656

C:\Users\Admin\AppData\Local\Temp\Nonagon.exe
"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"
1⤵
PID:3824
- C:\Program Files\WinRAR\RarExtPackage.exe
  "C:\Program Files\WinRAR\RarExtPackage.exe"
  2⤵
  PID:3496
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\debug\VUQLBafFd1oU7p3k.vbe"
    3⤵
    PID:4120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat" "
      4⤵
      PID:4588
    - - C:\Windows\debug\DebugTracker.exe
        
        "C:\Windows\debug\DebugTracker.exe"
        5⤵
        
        PID:4488
- - C:\Windows\debug\wtf1.exe
    "C:\Windows\debug\wtf1.exe"
    3⤵
    PID:768
- - C:\Windows\debug\wtf.exe
    "C:\Windows\debug\wtf.exe"
    3⤵
    PID:2836
- - C:\Windows\debug\cs2.exe
    "C:\Windows\debug\cs2.exe"
    3⤵
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\RarExtPackage.exe

Filesize
1.5MB

MD5
84d934c68349e798f58a35df1f2f90c2

SHA1
be0974e4699ff06f52f0d5d380bc9cb8f0c50e19

SHA256
3b7218b64c14fc5125a93b4f898886d3bb9c1bb69f0696ae557bb2b79fe8e8f6

SHA512
83ea4479e8536b015a628c0a8ca0662b269875f303bd0193ad551022c04105406001990f3b261c8201ec031d92047450debe1c915a2e361eddb80b48b876d335

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
281B

MD5
ee1ff93c5f7ce282cd69e9f2195563f1

SHA1
998a75e0334fca14280cefbab1d40f7b655af746

SHA256
a619c27d113dc65f023fad995e178a8ee75dc3f6c19144ae4f90d2a4a7f0321c

SHA512
d9be5607c28ac60f42d2ea4374e8c4b49244ed4ae9ec6d8b9b4008338c6a71a86ab30f08016f43dc2ed8e56c77dd6bff99686e2324977ec0dacb3803699fdd60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
faaf7523c64dc8415471937d0c677a0e

SHA1
ee072b542876ef962ff2c20eaf817f6fa2c73963

SHA256
3c6d46fe7d22ea84b157220656179229e6517c289346488943507a2c1d1f601e

SHA512
b3281d40afe4fae4d65ba1db1f7c585a48bbcfb9bd2d5ba9935c6d0dbbe496ec82da39afb34313bf6d0e2b89e5645a5b61e02706ce53a9bcae77b166efd7dabc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
979B

MD5
dd4ba5e36953bd6d0e45637df8b2af5b

SHA1
9f70fda2fa09f905815cb5276812f9e6f2ffa09d

SHA256
bc8a5c0a627b6a6e91f9bb1b15ec455e60413b066a812e3468fcbc72e669576a

SHA512
8ebe0228440fffbfa81c5ea453d50710a525047e062bf2c84f4cfde3dc10e1e51da1a8530010e813ccd38f90b072fbc206437a11531c7ee744133b9d9e880098

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
e30cb5343b2203d70d9d974837295eaf

SHA1
d22eb890b2d29e6a9e5863fbd3bb588a5b931fe5

SHA256
e44f37d6092e8caf9e286aa34fac834f1f93cb1094a247833eb3e214c877bd01

SHA512
026d9ec2df2a0e9babc1aa73e7c40078fd086b6808237fe78e2f0a92e87732dbe20240e1b07ace24d20c58e399cd163960bcc359bd8bb19edda11b26442ad8c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
480B

MD5
79db131d46cb77b195c62b0deed49a0f

SHA1
fbd7304fd6c2350071fd6b99a4e5b3c57b5f8a1a

SHA256
2031f00f9ca01c0db4fd42900f6561187d4c7d86c26807beea24abfc6e992f57

SHA512
a20247e5c03156581787a0a0551f4824f301e5e3459c1345579f764045018761974009ef10dba3a787fe0a2b29565c10be37ea46b1152ae0204e70eea9121178

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
23ce1e6fca6c31b9890243ede8b90503

SHA1
ebafc0d9106c0f0398a4bf000a9cadfccfa645d3

SHA256
208894346619b9af9bca6b48348e6211b7f09f531fce9e32c26011ba33b2f5c2

SHA512
dbe2449816af513957eb11b47c832c1427fef5d3c3ddf219c3d987ee5267cfcdf326dd0a1ea8617e87e76d5e6ec9036989379b395b6932ce2085bc482db02832

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
46f8969f54043003fd9c3b6f2260cdd3

SHA1
d42b0579fbd7f7ebb131034c0f5956dbf751ca8b

SHA256
1c3e106bbfa99ba750ba97e4eba02e90418d482f428bc69ef035d60b82d9e5b8

SHA512
9bee1822a2ec7c52b46e29e4e7431e42d000f63457a4c6a0f6e03dc4aa6f8a989ebc6e0211e93411f98077015bc27c2e10fcb8ac6317837d88a729985a4995f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
f1fd93db46f684547c1bdeb6bbb0f381

SHA1
1a775d744125e1a3ddfe5db1efe459e09f707406

SHA256
7ff225c82e1f01353ede7b08da5a9410d9cb088f7afaacd1b97c156dde1bec2c

SHA512
b144b8d0c465f0b6dbb6331980946be8f51134380f236adb311eaf73dccd48e11f8e3a758e4ea77e89ceb5722b9144d5075a4b71b4b88f72b211d200c5acc116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DebugTracker.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wtf1.exe.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
0b8cb2e6dd5794b6a56a4bdbbd430fd7

SHA1
2b08e348c3489c6a35761af073018e3784c12074

SHA256
bcce0d44e33747e4c39df9afbd0a4e98a47ded0188375e4dfdd94cafbb366e1f

SHA512
15ce3b588aa80899f69b0313c7e188d886bddbd09783ca732ac33f9ae8e4e017a72b6f98919f581383a4582732575e5faedb0dea87e01cf2b657424945fdf4d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
227556da5e65f6819f477756808c17e4

SHA1
6ffce766e881ca2a60180bb25f4981b183f78279

SHA256
101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4

SHA512
d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
77fad1dec6867fb7dd395c25c46d8ae5

SHA1
abfecfd6c63bb35ec88d98ef210adefc139d793e

SHA256
02b0ab469998ac630b421de245ee243599422e7f2c2f9714085fc5b837891784

SHA512
ac8d9d660992d076e46ffdb7422d4916789a7ca2f5737c711449f518745dee197ed1c08e50f81f92cb7d2d1ea94fe024e77a8295e1be05c5a49a0fd7495776d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d0db0b7d53a78b59212ff6e858c7fd23

SHA1
1462de306506121ad7e11de26f8adaebef854ed5

SHA256
6e4688ee439f23ef612e712d4c74f31d87fd02bf8324e9d08f0c31afe31f95af

SHA512
461cbfaa0fbf20949af16a0070e8b5deb25faa6ae7b90dea3981509fd2b97ef340ef7e99dac64c8f13245c6aeedf8f9b0c4974a785914d15a737faa2757aa80d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
74a6b79d36b4aae8b027a218bc6e1af7

SHA1
0350e46c1df6934903c4820a00b0bc4721779e5f

SHA256
60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

SHA512
60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3f8971731c95d93e2bda88546639a32

SHA1
70989a4396e2fe2cde0a64f60f3092ec693b6f75

SHA256
259602a19150656df83daf1297656e3f2ec1723befce5a791eeebf5c1e7567ae

SHA512
dfaa65bf9915d7cd44bfff561449c3d55e177d3c6af042ec263c66cc8b1ba74948e3f48b578d30cc533e2a56e2c62a0ceac5da761b15170116462707a00f9539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\37c9487f-d43e-41db-b909-5c9872992134.vbs

Filesize
711B

MD5
efb21ef5955a4aa8d981454d29744c04

SHA1
b1c154e7860ce907414f5f92d7901bea94f98bf9

SHA256
845b20108de4fa13e7d8c64bd27655069126749a506830c540b432d729fee91e

SHA512
71b305f637b966d0c07c6bca41fbe5b802cd0fa6dca46d73c94ba7bbe3511da3b936244ed856c83fc46fa454f0624a841f7a74573657500df28fa077ccd25e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fr4bej3q.yu5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa129181-5f0b-4eb0-b4c8-8979f37ac6b7.vbs

Filesize
487B

MD5
8b2a0777db058b343b1001f062590038

SHA1
748dce16088637388950119258bddfecd502b1f2

SHA256
34fec89233908bc31b5914b750d2a3401306a2ad539b964e01adf78efc60629f

SHA512
7ca596b05f7d66824d53bc73dd28c67dc10520ac39203e6c05447c8b2c26001fbc45e90844b180e6c26b966811740fa268cae82354964998691165d5d46d889e

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6FNlRHyuX.bat

Filesize
200B

MD5
b6b201ddf1412fd3a11a0f6d045437fc

SHA1
3485c9ab11ac6b3469eb23bcb605803681b933a2

SHA256
42e49f4f857ab317508a58960cf29530b7d1c472e2d28ff667beeaee56b8adc1

SHA512
991d9fadf86c9be3c6e4756f6707e35c6378bbd6129cb46d60fbf7eb1ca55d9a35ad3d8f094951a1e36a0e693af49054a0e942df628dda91bc0ff218cb866fc7

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
C:\Windows\debug\DebugTracker.exe

Filesize
942KB

MD5
22cbb5402a44f058c9176e04aa74b5f6

SHA1
10838c4611974ba2a5382442677dcf679840ecdd

SHA256
5d1930426e5e41548bcc214c4298c96028ea71d2a83f755e50fa5756c35a615a

SHA512
10d0693f4c6ff9cbcdf5b4ec8b0c690f11d9463c834c94fc7659bf9a89edae9c0b951e55f5909344caf4cccc1ea8d7635b58126cb3667847a290b4f0ac49f0a0

Download Submit
C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat

Filesize
35B

MD5
159dec09c9bf063b00e4952d8665a601

SHA1
38bac5d19ebd3822e23b07932cd65ba7c2c08a9c

SHA256
f380d068932fe95e35273007cae8acc6d71bd62446c7fa7f0ed0da6bcb7b0c9c

SHA512
5cb79038ee2f712aead2b6180af25305326044711d9f8270b4075eabe7635c096eb8c4e22182633d639abf29293d28a7187d5c8bb5726cd6a9707b48961df073

Download Submit
C:\Windows\debug\VUQLBafFd1oU7p3k.vbe

Filesize
217B

MD5
f9ed37928a0d95692faa9f69d0cd5cb7

SHA1
77c2968f3d2ba8afb128307105861734b4fce286

SHA256
61ac997d454ae62b6025b60e2ac9f1c7031cf380f3d9d1395de3cd816d35554a

SHA512
cbe7954def42abac38dde5ba9f9fbc341e8e9161a9b0826e9fe779541fdf2b0057402d9c3dab608a9b01dc9c3229a122e13ac71bd52be978adbd628d16867b79

Download Submit
C:\Windows\debug\cs2.exe

Filesize
137KB

MD5
509f2eeba11a964fa8d22ab6994cee78

SHA1
544321089bbc1cbc6e51eabcfcb0c042f797142c

SHA256
21c7ecd4074b68a2d59b6b241037392a0f1ee2d6450fa3c72a3895f3563d5a2a

SHA512
f6eed65466977ef5b775e9dd1c204790b901e64bebc648e71b38062dd5d9207cc53fbfa4bf7b170dfc1fa41bfb1570cb6527863d9abe5d03efc49eedc5487cf0

Download Submit
C:\Windows\debug\wtf.exe

Filesize
265KB

MD5
47ba0b9187c62981c229372477e2b2a0

SHA1
9c861ee21eb30ec6aa35b02bd437f70c2ac25eee

SHA256
93a0a5f1d487c699ba0809428c732bb0d741bc41b4459490b24d9b03ee3183fc

SHA512
2a65a3b52751ce99918ab3e01db1cc21e08e5a5069fd0256a6601a3aee5d2d75ce842c9eeb147cd7d76612b0ab8f86adee2eab3fea8e410f55c8061a690585c7

Download Submit
C:\Windows\debug\wtf1.exe

Filesize
229KB

MD5
187795687849f43176bc94aff323435f

SHA1
22e3d510df771291a2a256946ac6268ccf5d10be

SHA256
d7ebf40f863050be539cd8cbba2463c48235aa509819ed3b066a1c0b4974203e

SHA512
b099c9cbd3f5d9cd44dae19c66e88d32e5c290fa3f8cd6818397b54f2f73d318738d96b295053254bed4f254a2ebdfb2a8e75402e61314343060447888d781a3

Download Submit
memory/2084-158-0x0000000002410000-0x000000000241E000-memory.dmp

Filesize
56KB

Download
memory/2084-157-0x0000000000C50000-0x0000000000C5A000-memory.dmp

Filesize
40KB

Download
memory/2084-159-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2084-156-0x00000000001F0000-0x00000000002E2000-memory.dmp

Filesize
968KB

Download
memory/2524-73-0x00000230D0010000-0x00000230D0032000-memory.dmp

Filesize
136KB

Download
memory/2632-93-0x000001E4AEA50000-0x000001E4AEAA0000-memory.dmp

Filesize
320KB

Download
memory/2632-92-0x000001E4AED30000-0x000001E4AEDA6000-memory.dmp

Filesize
472KB

Download
memory/2632-132-0x000001E4AEEB0000-0x000001E4AEEC2000-memory.dmp

Filesize
72KB

Download
memory/2632-62-0x000001E4945C0000-0x000001E494600000-memory.dmp

Filesize
256KB

Download
memory/2632-94-0x000001E4AEAA0000-0x000001E4AEABE000-memory.dmp

Filesize
120KB

Download
memory/2632-131-0x000001E4AEA40000-0x000001E4AEA4A000-memory.dmp

Filesize
40KB

Download
memory/3388-66-0x000001FB69830000-0x000001FB69876000-memory.dmp

Filesize
280KB

Download
memory/4504-65-0x00000187EFA50000-0x00000187EFA78000-memory.dmp

Filesize
160KB

Download