dcrat | f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70

Analysis

max time kernel
79s
max time network
75s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
20/03/2025, 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nonagon.exe
Size

23KB
MD5

1b554731ea6b94e44ab6fe7ec45eb153
SHA1

1849707450548f79b4f8d941745c2c72199a7f00
SHA256

f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70
SHA512

96880df0242f41380e2877a3cac119e14ab062c4892040a3d8c9fe5fbc58ee6681729d1a1ca5c62427d4ad5ca76be1167d8811e9b4c35656e0c1000d660c06c1
SSDEEP

384:LD5Ry1Yg5MsZHalPXhZAiWGVDNr2mtbQ2E65wMxsWSjRSiKM3EMtR:zymgSCh2Ey/GWSjRSiKM3Nt

Score

10^/10

dcrat phemedrone umbral credential_access discovery infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7940307483:AAEmmDBRKx8kRMTrlD986B7qCulYd2jfQHw/sendDocument

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002818e-43.dat	family_umbral
behavioral1/memory/4596-72-0x000001821F970000-0x000001821F9B0000-memory.dmp	family_umbral

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5284	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5896	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6044	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	4052	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	4052	schtasks.exe	90

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000028189-21.dat	dcrat
behavioral1/files/0x000700000002818c-87.dat	dcrat
behavioral1/memory/2188-89-0x00000000008D0000-0x00000000009C2000-memory.dmp	dcrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
15	2728	Nonagon.exe

Uses browser remote debugging 2 TTPs 1 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4544	chrome.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	DebugTracker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	RarExtPackage.exe
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
4320	RarExtPackage.exe
4596	wtf1.exe
2156	wtf.exe
2008	cs2.exe
2188	DebugTracker.exe
940	cmd.exe
2392	cmd.exe
2136	cmd.exe
5792	cmd.exe
1400	cmd.exe
3940	cmd.exe
4644	cmd.exe
2116	cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nvidia = "C:\\Program Files\\WinRAR\\RarExtPackage.exe"	Nonagon.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\RarExtPackage.exe	Nonagon.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\wininit.exe	DebugTracker.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\56085415360792	DebugTracker.exe
File created	C:\Program Files (x86)\Google\Update\DebugTracker.exe	DebugTracker.exe
File created	C:\Program Files (x86)\Google\Update\baf0f489ef151f	DebugTracker.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\debug\VUQLBafFd1oU7p3k.vbe	RarExtPackage.exe
File created	C:\Windows\debug\cs2.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\DebugTracker.exe	RarExtPackage.exe
File created	C:\Windows\debug\VUQLBafFd1oU7p3k.vbe	RarExtPackage.exe
File created	C:\Windows\debug\wtf1.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\wtf1.exe	RarExtPackage.exe
File created	C:\Windows\debug\wtf.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\wtf.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\cs2.exe	RarExtPackage.exe
File created	C:\Windows\debug\__tmp_rar_sfx_access_check_240610671	RarExtPackage.exe
File created	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat	RarExtPackage.exe
File opened for modification	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat	RarExtPackage.exe
File created	C:\Windows\debug\DebugTracker.exe	RarExtPackage.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RarExtPackage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	RarExtPackage.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4284	schtasks.exe
2152	schtasks.exe
5284	schtasks.exe
5896	schtasks.exe
4624	schtasks.exe
4160	schtasks.exe
1268	schtasks.exe
2336	schtasks.exe
3176	schtasks.exe
1712	schtasks.exe
2340	schtasks.exe
3612	schtasks.exe
2148	schtasks.exe
2436	schtasks.exe
5804	schtasks.exe
6044	schtasks.exe
1068	schtasks.exe
2208	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2156	wtf.exe
2156	wtf.exe
2156	wtf.exe
2156	wtf.exe
2156	wtf.exe
2156	wtf.exe
2156	wtf.exe
2156	wtf.exe
2156	wtf.exe
2156	wtf.exe
5076	wmic.exe
5076	wmic.exe
5076	wmic.exe
5076	wmic.exe
2008	cs2.exe
2008	cs2.exe
2188	DebugTracker.exe
2188	DebugTracker.exe
2188	DebugTracker.exe
2188	DebugTracker.exe
2188	DebugTracker.exe
2188	DebugTracker.exe
2188	DebugTracker.exe
2188	DebugTracker.exe
2188	DebugTracker.exe
940	cmd.exe
2392	cmd.exe
2136	cmd.exe
5792	cmd.exe
1400	cmd.exe
3940	cmd.exe
4644	cmd.exe
2116	cmd.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	wtf.exe
Token: SeDebugPrivilege	4596	wtf1.exe
Token: SeIncreaseQuotaPrivilege	5076	wmic.exe
Token: SeSecurityPrivilege	5076	wmic.exe
Token: SeTakeOwnershipPrivilege	5076	wmic.exe
Token: SeLoadDriverPrivilege	5076	wmic.exe
Token: SeSystemProfilePrivilege	5076	wmic.exe
Token: SeSystemtimePrivilege	5076	wmic.exe
Token: SeProfSingleProcessPrivilege	5076	wmic.exe
Token: SeIncBasePriorityPrivilege	5076	wmic.exe
Token: SeCreatePagefilePrivilege	5076	wmic.exe
Token: SeBackupPrivilege	5076	wmic.exe
Token: SeRestorePrivilege	5076	wmic.exe
Token: SeShutdownPrivilege	5076	wmic.exe
Token: SeDebugPrivilege	5076	wmic.exe
Token: SeSystemEnvironmentPrivilege	5076	wmic.exe
Token: SeRemoteShutdownPrivilege	5076	wmic.exe
Token: SeUndockPrivilege	5076	wmic.exe
Token: SeManageVolumePrivilege	5076	wmic.exe
Token: 33	5076	wmic.exe
Token: 34	5076	wmic.exe
Token: 35	5076	wmic.exe
Token: 36	5076	wmic.exe
Token: SeIncreaseQuotaPrivilege	5076	wmic.exe
Token: SeSecurityPrivilege	5076	wmic.exe
Token: SeTakeOwnershipPrivilege	5076	wmic.exe
Token: SeLoadDriverPrivilege	5076	wmic.exe
Token: SeSystemProfilePrivilege	5076	wmic.exe
Token: SeSystemtimePrivilege	5076	wmic.exe
Token: SeProfSingleProcessPrivilege	5076	wmic.exe
Token: SeIncBasePriorityPrivilege	5076	wmic.exe
Token: SeCreatePagefilePrivilege	5076	wmic.exe
Token: SeBackupPrivilege	5076	wmic.exe
Token: SeRestorePrivilege	5076	wmic.exe
Token: SeShutdownPrivilege	5076	wmic.exe
Token: SeDebugPrivilege	5076	wmic.exe
Token: SeSystemEnvironmentPrivilege	5076	wmic.exe
Token: SeRemoteShutdownPrivilege	5076	wmic.exe
Token: SeUndockPrivilege	5076	wmic.exe
Token: SeManageVolumePrivilege	5076	wmic.exe
Token: 33	5076	wmic.exe
Token: 34	5076	wmic.exe
Token: 35	5076	wmic.exe
Token: 36	5076	wmic.exe
Token: SeDebugPrivilege	2008	cs2.exe
Token: SeDebugPrivilege	2188	DebugTracker.exe
Token: SeDebugPrivilege	940	cmd.exe
Token: SeDebugPrivilege	2392	cmd.exe
Token: SeDebugPrivilege	2136	cmd.exe
Token: SeDebugPrivilege	5792	cmd.exe
Token: SeDebugPrivilege	1400	cmd.exe
Token: SeDebugPrivilege	3940	cmd.exe
Token: SeDebugPrivilege	4644	cmd.exe
Token: SeDebugPrivilege	2116	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 4320	2728	Nonagon.exe	82
PID 2728 wrote to memory of 4320	2728	Nonagon.exe	82
PID 2728 wrote to memory of 4320	2728	Nonagon.exe	82
PID 4320 wrote to memory of 4068	4320	RarExtPackage.exe	83
PID 4320 wrote to memory of 4068	4320	RarExtPackage.exe	83
PID 4320 wrote to memory of 4068	4320	RarExtPackage.exe	83
PID 4320 wrote to memory of 4596	4320	RarExtPackage.exe	84
PID 4320 wrote to memory of 4596	4320	RarExtPackage.exe	84
PID 4320 wrote to memory of 2156	4320	RarExtPackage.exe	86
PID 4320 wrote to memory of 2156	4320	RarExtPackage.exe	86
PID 4320 wrote to memory of 2008	4320	RarExtPackage.exe	87
PID 4320 wrote to memory of 2008	4320	RarExtPackage.exe	87
PID 2008 wrote to memory of 4544	2008	cs2.exe	88
PID 2008 wrote to memory of 4544	2008	cs2.exe	88
PID 4544 wrote to memory of 4588	4544	chrome.exe	89
PID 4544 wrote to memory of 4588	4544	chrome.exe	89
PID 4596 wrote to memory of 5076	4596	wtf1.exe	91
PID 4596 wrote to memory of 5076	4596	wtf1.exe	91
PID 4068 wrote to memory of 5468	4068	WScript.exe	96
PID 4068 wrote to memory of 5468	4068	WScript.exe	96
PID 4068 wrote to memory of 5468	4068	WScript.exe	96
PID 5468 wrote to memory of 2188	5468	cmd.exe	98
PID 5468 wrote to memory of 2188	5468	cmd.exe	98
PID 2188 wrote to memory of 940	2188	DebugTracker.exe	117
PID 2188 wrote to memory of 940	2188	DebugTracker.exe	117
PID 940 wrote to memory of 1512	940	cmd.exe	118
PID 940 wrote to memory of 1512	940	cmd.exe	118
PID 940 wrote to memory of 3552	940	cmd.exe	119
PID 940 wrote to memory of 3552	940	cmd.exe	119
PID 1512 wrote to memory of 2392	1512	WScript.exe	122
PID 1512 wrote to memory of 2392	1512	WScript.exe	122
PID 2392 wrote to memory of 3860	2392	cmd.exe	123
PID 2392 wrote to memory of 3860	2392	cmd.exe	123
PID 2392 wrote to memory of 2980	2392	cmd.exe	124
PID 2392 wrote to memory of 2980	2392	cmd.exe	124
PID 3860 wrote to memory of 2136	3860	WScript.exe	126
PID 3860 wrote to memory of 2136	3860	WScript.exe	126
PID 2136 wrote to memory of 920	2136	cmd.exe	127
PID 2136 wrote to memory of 920	2136	cmd.exe	127
PID 2136 wrote to memory of 4504	2136	cmd.exe	128
PID 2136 wrote to memory of 4504	2136	cmd.exe	128
PID 920 wrote to memory of 5792	920	WScript.exe	129
PID 920 wrote to memory of 5792	920	WScript.exe	129
PID 5792 wrote to memory of 1192	5792	cmd.exe	130
PID 5792 wrote to memory of 1192	5792	cmd.exe	130
PID 5792 wrote to memory of 4324	5792	cmd.exe	131
PID 5792 wrote to memory of 4324	5792	cmd.exe	131
PID 1192 wrote to memory of 1400	1192	WScript.exe	132
PID 1192 wrote to memory of 1400	1192	WScript.exe	132
PID 1400 wrote to memory of 5692	1400	cmd.exe	133
PID 1400 wrote to memory of 5692	1400	cmd.exe	133
PID 1400 wrote to memory of 240	1400	cmd.exe	134
PID 1400 wrote to memory of 240	1400	cmd.exe	134
PID 5692 wrote to memory of 3940	5692	WScript.exe	135
PID 5692 wrote to memory of 3940	5692	WScript.exe	135
PID 3940 wrote to memory of 1212	3940	cmd.exe	136
PID 3940 wrote to memory of 1212	3940	cmd.exe	136
PID 3940 wrote to memory of 460	3940	cmd.exe	137
PID 3940 wrote to memory of 460	3940	cmd.exe	137
PID 1212 wrote to memory of 4644	1212	WScript.exe	138
PID 1212 wrote to memory of 4644	1212	WScript.exe	138
PID 4644 wrote to memory of 4796	4644	cmd.exe	139
PID 4644 wrote to memory of 4796	4644	cmd.exe	139
PID 4644 wrote to memory of 5012	4644	cmd.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nonagon.exe
"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"
1⤵
- Downloads MZ/PE file
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Program Files\WinRAR\RarExtPackage.exe
  "C:\Program Files\WinRAR\RarExtPackage.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\debug\VUQLBafFd1oU7p3k.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5468
    - - C:\Windows\debug\DebugTracker.exe
        
        "C:\Windows\debug\DebugTracker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        
        "C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0933bdab-ea90-42f9-bd29-d3ca29fb21a9.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        
        C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71a646e0-9f52-4dff-bbf5-ebb4b627b635.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        
        C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31504268-7052-401e-a8af-83bbfe59b09d.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        
        C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe9b3dd4-5b3c-4d35-a67b-641a5a0fc11f.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        
        C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9f27613-e0d9-40c0-a233-d090cc26085c.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:5692
        
        C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        
        C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fef3fecb-b164-4b72-a58a-586fa41a216b.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        
        C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c74ceb65-6988-47cb-ab60-b79dea452fd7.vbs"
        19⤵
        
        PID:4796
        
        C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        
        C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84a7e017-e1a2-47aa-999d-d6b19877f6e4.vbs"
        21⤵
        
        PID:4856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e04ff47-b771-4664-b85a-841e0a0888c1.vbs"
        21⤵
        
        PID:5384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fe7b0d5-f930-4cd3-9fdd-5bc36d7be8a2.vbs"
        19⤵
        
        PID:5012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac9bb014-4fb8-4117-bb57-9288ebe550b2.vbs"
        17⤵
        
        PID:460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02277b7d-526d-44f3-87e9-6a0e7b9969da.vbs"
        15⤵
        
        PID:240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d22ee6db-3533-4bfb-92ea-0feaf69ffac6.vbs"
        13⤵
        
        PID:4324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc40bb04-abaf-479d-aa09-fec94fa0909e.vbs"
        11⤵
        
        PID:4504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed56f984-9f35-4988-b7d1-d9c0e0095f8b.vbs"
        9⤵
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac7b2aab-44f4-44df-ad75-8f2817e95493.vbs"
        7⤵
        
        PID:3552
- - C:\Windows\debug\wtf1.exe
    "C:\Windows\debug\wtf1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5076
- - C:\Windows\debug\wtf.exe
    "C:\Windows\debug\wtf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\debug\cs2.exe
    "C:\Windows\debug\cs2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x224,0x228,0x22c,0x220,0x230,0x7ffa3f80dcf8,0x7ffa3f80dd04,0x7ffa3f80dd10
        5⤵
        
        PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DebugTrackerD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\DebugTracker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DebugTracker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\DebugTracker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DebugTrackerD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\DebugTracker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cs2c" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\cs2.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cs2" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cs2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cs2c" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cs2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\a5f1eda8760fc790760b7e5a7f56\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\a5f1eda8760fc790760b7e5a7f56\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\a5f1eda8760fc790760b7e5a7f56\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\RarExtPackage.exe

Filesize
1.5MB

MD5
84d934c68349e798f58a35df1f2f90c2

SHA1
be0974e4699ff06f52f0d5d380bc9cb8f0c50e19

SHA256
3b7218b64c14fc5125a93b4f898886d3bb9c1bb69f0696ae557bb2b79fe8e8f6

SHA512
83ea4479e8536b015a628c0a8ca0662b269875f303bd0193ad551022c04105406001990f3b261c8201ec031d92047450debe1c915a2e361eddb80b48b876d335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Filesize
1KB

MD5
ff7ce793bcf47827eb5d4b597959a841

SHA1
5af4410d4ae6fff5f90030556de31a3dfe620845

SHA256
3cd72e1b802edf5156a5cb51a21acce032fc7ba0fe6a500027674d833373e0f8

SHA512
ec106eb5dfc3b27d4dc9ac08f77a5afe1a2aa7cba75f648b4c417ad89b78c7e469f6a18ac1f42acbc821d8a07bef0ae067a4f3ff0dc0b71c54379d8877947de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0933bdab-ea90-42f9-bd29-d3ca29fb21a9.vbs

Filesize
714B

MD5
3098968e80943bc4c8ba6ede4fe63639

SHA1
bdc8453b4e2b57e3e0a66d466434016646d2f004

SHA256
9b546665fb987cba9b933a6f2ce18ccdb174004c485090856e45ba3e3e2b3964

SHA512
1e0cee09c37aa90bdd0a872272c7172ef3bde51bf87951be9ed312f54c44e7ebcff4afa06562ccdfc01e006b20b80b4d09d2cbe669f5a3d8fffa1d2c97aa6766

Download Submit
C:\Users\Admin\AppData\Local\Temp\31504268-7052-401e-a8af-83bbfe59b09d.vbs

Filesize
715B

MD5
f762818b3aee80fb1305781894972079

SHA1
0efbc967f0ca75c69198c8ce2629ad2827b87f58

SHA256
23b7e985a45a4b933b943dce77c10533cac76e976ec1cd527c01533adaf92585

SHA512
52dca854cd544e46a30a3128ae7e35a79bcef2614927de47d0fe5401380aa7889f497454af5cde459900d246a2a21b2613a272d9e8c005c8b606bf39fcec2107

Download Submit
C:\Users\Admin\AppData\Local\Temp\71a646e0-9f52-4dff-bbf5-ebb4b627b635.vbs

Filesize
715B

MD5
458c96140a6cff3831e0bc644a216f87

SHA1
597c23870a864cbba1d05f362671b84d853fa0d4

SHA256
7571bfc883a64c3903d9ecfb40ff98994f9f2eab79ee9f1f3490ead018ca965a

SHA512
923f67e436d97c5eb991c15fa8e24bc8a7b29a8a489a538556ad0c3d5abb6003b3a2f8b067d57269a31fe938540641cfda975b7ee4a1a6d60ebecb08a36fcfb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a7e017-e1a2-47aa-999d-d6b19877f6e4.vbs

Filesize
715B

MD5
640a93cdf72766334c6bede77751edfe

SHA1
057cef8ea5071c4f3f5959adafaf106a954feaa1

SHA256
7df060ec60d150b09a0c31e7a7ad58cf0a3077e781743f0b56d45742528445c3

SHA512
83c1db5c7f05b4bb3d811791630ab1ac7509a7fc4c4f8f1a7143a5819ea7d6cfa687e8b7046150ebcbee3a12ab154523c39e819a5006e8d204b39e4277195162

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac7b2aab-44f4-44df-ad75-8f2817e95493.vbs

Filesize
491B

MD5
a04acf4f4449ed600781d672690362a0

SHA1
02d84ccc5b834c37643ae61886e74ac90c2b7362

SHA256
c8e2ca2dec9c0748703c45c231255d85fda13274ace9b397f087636bb64074bc

SHA512
14c5ba14feb25dc0eef3bb414ddc0f9b91ff7c180e6e3d93c28fc634c27a6467b28bf554c9bd548f7f28ee70b10ba89cccbfd44de1b652cdae3d92144d37c91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c74ceb65-6988-47cb-ab60-b79dea452fd7.vbs

Filesize
715B

MD5
353b5a8159cc8fc21e979a98ab97f195

SHA1
4653c165b2f5f37bad8ad669ec368d345643df09

SHA256
bc57564bfc3891c35d6ae4660249f46f9ef813711b2635d75fb8df94bca47fcd

SHA512
2505358747ff18434f85406b11e817092a09f823e3f079cdd599871114687a5fe64525848f7c2665b7596efc07240f39b2bdb23e99fe8c1568929bac10a69a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9f27613-e0d9-40c0-a233-d090cc26085c.vbs

Filesize
715B

MD5
15f7df3606c966ccd945aef7b70e038a

SHA1
d161a1d1a6fd272eb0c3a00e01d87f3e8a7ed0bb

SHA256
567cf22e43046d0c79557d4a592123b637db9510dab7f22892f7389096ca1dc9

SHA512
2ef8309b9fab3fb3f415b4dcf2983c2cc96ab78185a529028822ffc3e615fd8623dc398638c6f21b1b79a961160b470fa977730a18ecc29463f0968035fc2430

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe9b3dd4-5b3c-4d35-a67b-641a5a0fc11f.vbs

Filesize
715B

MD5
2c71bda41b133133d18c1997d4d48628

SHA1
c22c2194df77e478561b7796ac4732f3e18b8398

SHA256
cba4d0905b65797a29a25356b6739ae76506c6c189978b5f56051ad9db6a2c20

SHA512
b2cec89a1698a1d9ea81fbc3a1a9007fe4519bf18cb76af6f576a76eb526295ed205b35da4af13e2f7213eea6e41b32d99b16bfa2f2f88cced0333e205747c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\fef3fecb-b164-4b72-a58a-586fa41a216b.vbs

Filesize
715B

MD5
e1344ab5ea9e499a45744e98ec5216bc

SHA1
cbc85b0b570d95518971a0d24b5ed77421f8b5de

SHA256
49a5997c6908a0fecf28b5111cb9d9225ea10d59d3c951e440e8b9951831269f

SHA512
bbd8952a3316633ed69cd8304fba4ca6db2162081888e38a5840e266938cc46a7c8d28ae69bdfa73427c17dfdb0a44b6133d80e382c0a12456b403507bbdaae6

Download Submit
C:\Windows\debug\DebugTracker.exe

Filesize
942KB

MD5
22cbb5402a44f058c9176e04aa74b5f6

SHA1
10838c4611974ba2a5382442677dcf679840ecdd

SHA256
5d1930426e5e41548bcc214c4298c96028ea71d2a83f755e50fa5756c35a615a

SHA512
10d0693f4c6ff9cbcdf5b4ec8b0c690f11d9463c834c94fc7659bf9a89edae9c0b951e55f5909344caf4cccc1ea8d7635b58126cb3667847a290b4f0ac49f0a0

Download Submit
C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat

Filesize
35B

MD5
159dec09c9bf063b00e4952d8665a601

SHA1
38bac5d19ebd3822e23b07932cd65ba7c2c08a9c

SHA256
f380d068932fe95e35273007cae8acc6d71bd62446c7fa7f0ed0da6bcb7b0c9c

SHA512
5cb79038ee2f712aead2b6180af25305326044711d9f8270b4075eabe7635c096eb8c4e22182633d639abf29293d28a7187d5c8bb5726cd6a9707b48961df073

Download Submit
C:\Windows\debug\VUQLBafFd1oU7p3k.vbe

Filesize
217B

MD5
f9ed37928a0d95692faa9f69d0cd5cb7

SHA1
77c2968f3d2ba8afb128307105861734b4fce286

SHA256
61ac997d454ae62b6025b60e2ac9f1c7031cf380f3d9d1395de3cd816d35554a

SHA512
cbe7954def42abac38dde5ba9f9fbc341e8e9161a9b0826e9fe779541fdf2b0057402d9c3dab608a9b01dc9c3229a122e13ac71bd52be978adbd628d16867b79

Download Submit
C:\Windows\debug\cs2.exe

Filesize
137KB

MD5
509f2eeba11a964fa8d22ab6994cee78

SHA1
544321089bbc1cbc6e51eabcfcb0c042f797142c

SHA256
21c7ecd4074b68a2d59b6b241037392a0f1ee2d6450fa3c72a3895f3563d5a2a

SHA512
f6eed65466977ef5b775e9dd1c204790b901e64bebc648e71b38062dd5d9207cc53fbfa4bf7b170dfc1fa41bfb1570cb6527863d9abe5d03efc49eedc5487cf0

Download Submit
C:\Windows\debug\wtf.exe

Filesize
265KB

MD5
47ba0b9187c62981c229372477e2b2a0

SHA1
9c861ee21eb30ec6aa35b02bd437f70c2ac25eee

SHA256
93a0a5f1d487c699ba0809428c732bb0d741bc41b4459490b24d9b03ee3183fc

SHA512
2a65a3b52751ce99918ab3e01db1cc21e08e5a5069fd0256a6601a3aee5d2d75ce842c9eeb147cd7d76612b0ab8f86adee2eab3fea8e410f55c8061a690585c7

Download Submit
C:\Windows\debug\wtf1.exe

Filesize
229KB

MD5
187795687849f43176bc94aff323435f

SHA1
22e3d510df771291a2a256946ac6268ccf5d10be

SHA256
d7ebf40f863050be539cd8cbba2463c48235aa509819ed3b066a1c0b4974203e

SHA512
b099c9cbd3f5d9cd44dae19c66e88d32e5c290fa3f8cd6818397b54f2f73d318738d96b295053254bed4f254a2ebdfb2a8e75402e61314343060447888d781a3

Download Submit
memory/2008-83-0x0000026E6C1F0000-0x0000026E6C218000-memory.dmp

Filesize
160KB

Download
memory/2156-79-0x00000193CB220000-0x00000193CB266000-memory.dmp

Filesize
280KB

Download
memory/2188-92-0x0000000001250000-0x0000000001258000-memory.dmp

Filesize
32KB

Download
memory/2188-91-0x0000000001240000-0x000000000124E000-memory.dmp

Filesize
56KB

Download
memory/2188-90-0x0000000001220000-0x000000000122A000-memory.dmp

Filesize
40KB

Download
memory/2188-89-0x00000000008D0000-0x00000000009C2000-memory.dmp

Filesize
968KB

Download
memory/4596-72-0x000001821F970000-0x000001821F9B0000-memory.dmp

Filesize
256KB

Download