dcrat | b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

Resubmissions

25-01-2022 20:58

220125-zr9txafah2 10

25-01-2022 05:22

220125-f2kszshddn 10

Analysis

max time kernel
118s
max time network
128s
platform
windows10_x64
resource
win10-en-20211208
submitted
25-01-2022 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5320340037751e10748b6463fab8ee0.exe
Size

2.1MB
MD5

b5320340037751e10748b6463fab8ee0
SHA1

b3e9a125688e9da67708adfcada41bb56de2cd3d
SHA256

b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d
SHA512

67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Score

10^/10

dcrat infostealer persistence rat suricata

Malware Config

Signatures

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

b5320340037751e10748b6463fab8ee0.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\System32\KBDINBEN\f3b6ecef712a24	b5320340037751e10748b6463fab8ee0.exe
4028	schtasks.exe
2828	schtasks.exe
1536	schtasks.exe
924	schtasks.exe
File created	C:\Windows\System32\KBDINBEN\spoolsv.exe	b5320340037751e10748b6463fab8ee0.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

spoolsv.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" spoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	spoolsv.exe

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1416	schtasks.exe

suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
suricata
Executes dropped EXE 1 IoCs

Processes:

spoolsv.exe

pid process

3196 spoolsv.exe
Deletes itself 1 IoCs

Processes:

spoolsv.exe

pid process

3196 spoolsv.exe

pid	process
3196	spoolsv.exe

pid	process
3196	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b5320340037751e10748b6463fab8ee0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\wlansvc\\RuntimeBroker.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDINBEN\\spoolsv.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Windows\\debug\\SearchUI.exe\""	b5320340037751e10748b6463fab8ee0.exe

Drops file in System32 directory 5 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exe

description	ioc	process
File created	C:\Windows\System32\KBDINBEN\spoolsv.exe	b5320340037751e10748b6463fab8ee0.exe
File opened for modification	C:\Windows\System32\KBDINBEN\spoolsv.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\KBDINBEN\f3b6ecef712a24	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\wlansvc\RuntimeBroker.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\wlansvc\9e8d7a4ca61bd9	b5320340037751e10748b6463fab8ee0.exe

Drops file in Windows directory 2 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exe

description	ioc	process
File created	C:\Windows\debug\SearchUI.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\debug\dab4d89cac03ec	b5320340037751e10748b6463fab8ee0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4028 schtasks.exe
2828 schtasks.exe
1536 schtasks.exe
924 schtasks.exe

pid	process
4028	schtasks.exe
2828	schtasks.exe
1536	schtasks.exe
924	schtasks.exe

Modifies registry class 1 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	b5320340037751e10748b6463fab8ee0.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exespoolsv.exe

pid	process
736	b5320340037751e10748b6463fab8ee0.exe
736	b5320340037751e10748b6463fab8ee0.exe
736	b5320340037751e10748b6463fab8ee0.exe
1420	powershell.exe
3952	powershell.exe
1900	powershell.exe
776	powershell.exe
4012	powershell.exe
4012	powershell.exe
1900	powershell.exe
1420	powershell.exe
3952	powershell.exe
776	powershell.exe
4012	powershell.exe
1420	powershell.exe
1900	powershell.exe
3952	powershell.exe
776	powershell.exe
3196	spoolsv.exe
3196	spoolsv.exe
3196	spoolsv.exe
3196	spoolsv.exe
3196	spoolsv.exe
3196	spoolsv.exe
3196	spoolsv.exe
3196	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	736	b5320340037751e10748b6463fab8ee0.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeIncreaseQuotaPrivilege	1900	powershell.exe
Token: SeSecurityPrivilege	1900	powershell.exe
Token: SeTakeOwnershipPrivilege	1900	powershell.exe
Token: SeLoadDriverPrivilege	1900	powershell.exe
Token: SeSystemProfilePrivilege	1900	powershell.exe
Token: SeSystemtimePrivilege	1900	powershell.exe
Token: SeProfSingleProcessPrivilege	1900	powershell.exe
Token: SeIncBasePriorityPrivilege	1900	powershell.exe
Token: SeCreatePagefilePrivilege	1900	powershell.exe
Token: SeBackupPrivilege	1900	powershell.exe
Token: SeRestorePrivilege	1900	powershell.exe
Token: SeShutdownPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeSystemEnvironmentPrivilege	1900	powershell.exe
Token: SeRemoteShutdownPrivilege	1900	powershell.exe
Token: SeUndockPrivilege	1900	powershell.exe
Token: SeManageVolumePrivilege	1900	powershell.exe
Token: 33	1900	powershell.exe
Token: 34	1900	powershell.exe
Token: 35	1900	powershell.exe
Token: 36	1900	powershell.exe
Token: SeIncreaseQuotaPrivilege	776	powershell.exe
Token: SeSecurityPrivilege	776	powershell.exe
Token: SeTakeOwnershipPrivilege	776	powershell.exe
Token: SeLoadDriverPrivilege	776	powershell.exe
Token: SeSystemProfilePrivilege	776	powershell.exe
Token: SeSystemtimePrivilege	776	powershell.exe
Token: SeProfSingleProcessPrivilege	776	powershell.exe
Token: SeIncBasePriorityPrivilege	776	powershell.exe
Token: SeCreatePagefilePrivilege	776	powershell.exe
Token: SeBackupPrivilege	776	powershell.exe
Token: SeRestorePrivilege	776	powershell.exe
Token: SeShutdownPrivilege	776	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeSystemEnvironmentPrivilege	776	powershell.exe
Token: SeRemoteShutdownPrivilege	776	powershell.exe
Token: SeUndockPrivilege	776	powershell.exe
Token: SeManageVolumePrivilege	776	powershell.exe
Token: 33	776	powershell.exe
Token: 34	776	powershell.exe
Token: 35	776	powershell.exe
Token: 36	776	powershell.exe
Token: SeIncreaseQuotaPrivilege	3952	powershell.exe
Token: SeSecurityPrivilege	3952	powershell.exe
Token: SeTakeOwnershipPrivilege	3952	powershell.exe
Token: SeLoadDriverPrivilege	3952	powershell.exe
Token: SeSystemProfilePrivilege	3952	powershell.exe
Token: SeSystemtimePrivilege	3952	powershell.exe
Token: SeProfSingleProcessPrivilege	3952	powershell.exe
Token: SeIncBasePriorityPrivilege	3952	powershell.exe
Token: SeCreatePagefilePrivilege	3952	powershell.exe
Token: SeBackupPrivilege	3952	powershell.exe
Token: SeRestorePrivilege	3952	powershell.exe
Token: SeIncreaseQuotaPrivilege	1420	powershell.exe
Token: SeShutdownPrivilege	3952	powershell.exe
Token: SeSecurityPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeTakeOwnershipPrivilege	1420	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.execmd.exespoolsv.execmd.exe

description	pid	process	target process
PID 736 wrote to memory of 1420	736	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 736 wrote to memory of 1420	736	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 736 wrote to memory of 3952	736	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 736 wrote to memory of 3952	736	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 736 wrote to memory of 776	736	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 736 wrote to memory of 776	736	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 736 wrote to memory of 4012	736	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 736 wrote to memory of 4012	736	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 736 wrote to memory of 1900	736	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 736 wrote to memory of 1900	736	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 736 wrote to memory of 772	736	b5320340037751e10748b6463fab8ee0.exe	cmd.exe
PID 736 wrote to memory of 772	736	b5320340037751e10748b6463fab8ee0.exe	cmd.exe
PID 772 wrote to memory of 2104	772	cmd.exe	w32tm.exe
PID 772 wrote to memory of 2104	772	cmd.exe	w32tm.exe
PID 772 wrote to memory of 3196	772	cmd.exe	spoolsv.exe
PID 772 wrote to memory of 3196	772	cmd.exe	spoolsv.exe
PID 3196 wrote to memory of 1684	3196	spoolsv.exe	schtasks.exe
PID 3196 wrote to memory of 1684	3196	spoolsv.exe	schtasks.exe
PID 3196 wrote to memory of 3544	3196	spoolsv.exe	schtasks.exe
PID 3196 wrote to memory of 3544	3196	spoolsv.exe	schtasks.exe
PID 3196 wrote to memory of 3604	3196	spoolsv.exe	schtasks.exe
PID 3196 wrote to memory of 3604	3196	spoolsv.exe	schtasks.exe
PID 3196 wrote to memory of 684	3196	spoolsv.exe	schtasks.exe
PID 3196 wrote to memory of 684	3196	spoolsv.exe	schtasks.exe
PID 3196 wrote to memory of 3952	3196	spoolsv.exe	schtasks.exe
PID 3196 wrote to memory of 3952	3196	spoolsv.exe	schtasks.exe
PID 3196 wrote to memory of 1216	3196	spoolsv.exe	schtasks.exe
PID 3196 wrote to memory of 1216	3196	spoolsv.exe	schtasks.exe
PID 3196 wrote to memory of 2600	3196	spoolsv.exe	cmd.exe
PID 3196 wrote to memory of 2600	3196	spoolsv.exe	cmd.exe
PID 2600 wrote to memory of 4024	2600	cmd.exe	w32tm.exe
PID 2600 wrote to memory of 4024	2600	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe
"C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe"
1⤵
- DcRat
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\dllhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wlansvc\RuntimeBroker.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\SearchUI.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDINBEN\spoolsv.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUvcrzcpRj.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2104
- - C:\Windows\System32\KBDINBEN\spoolsv.exe
    "C:\Windows\System32\KBDINBEN\spoolsv.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /Delete /tn "b5320340037751e10748b6463fab8ee0" /f
      4⤵
      PID:1684
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /Delete /tn "spoolsv" /f
      4⤵
      PID:3544
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /Delete /tn "SearchUI" /f
      4⤵
      PID:3604
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /Delete /tn "RuntimeBroker" /f
      4⤵
      PID:684
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /Delete /tn "dllhost" /f
      4⤵
      PID:3952
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /Delete /tn "spoolsv" /f
      4⤵
      PID:1216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\KBDINBEN\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\debug\SearchUI.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\wlansvc\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\5940a34987c991

MD5
0c6b6656f152f4176ccfc4a6b2d1b294

SHA1
518b488ccf8ffd2889e1c03f93cc9673b5d333fe

SHA256
72381714ca3c565e39e6d5a27ff99ac6de563d2a74127e44ff4b9efbf78e18cf

SHA512
21a80b0e44572d1bef9aec1acbe01f8b19880f82bd9c8e001fd267e2b20b76dd3e0a72c1b9586cd65a8f561e74c73c2a0eaa02eab1d58010ecebb232bb85bd39

Download Submit
C:\Documents and Settings\dllhost.exe

MD5
b5320340037751e10748b6463fab8ee0

SHA1
b3e9a125688e9da67708adfcada41bb56de2cd3d

SHA256
b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

SHA512
67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0e27558b9c2f6dfa57d200cbdbc2b3be

SHA1
85f2eb3dec92dab93049d200879fc861cdfda0c4

SHA256
621632615c2b99953b5c43d54eb54cf9e0a918904eead0119f61c631ee4b90a1

SHA512
9ef05488940620d6b5f15f25cab66ef87aa19591feef902f5d9c297e98d1a723bfa5fc05f81ce24ff0e9e992cacda806960eed368660046f77ba843147efbe5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
453fed4e93ccc2ff5ffad30f81dfc51f

SHA1
011724099040a0fb24baa1c886fd0be86d5c9ece

SHA256
fdf8e39f343262aae561094a192cb22085dfc980a65b6b357dbd2e9fd8d793e5

SHA512
fe8fd619850e407c2d8459469c662ccc9329e4f78a19e1c114f877b75f912786a278b3565a9b1b61e305a25ea90cadba6a8695c6e949aaa5ee49eb5056706b5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
fd2133a9897459eda2a03bbd12520b03

SHA1
169631a04053293098ceebbcc1b21706087308d2

SHA256
02d176fabd70345cec2d189f4c8015b9fde165623ae8e30388fba3a08ad5eeea

SHA512
efd0d9ae3d8577b04727391a9f5ffcd2ab93b60ac608bdef33740293b78a7ff93a25ca1fe574740c26312a3e740345ee3732226f1fd2d01b02e30ed12e89aac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
fd2133a9897459eda2a03bbd12520b03

SHA1
169631a04053293098ceebbcc1b21706087308d2

SHA256
02d176fabd70345cec2d189f4c8015b9fde165623ae8e30388fba3a08ad5eeea

SHA512
efd0d9ae3d8577b04727391a9f5ffcd2ab93b60ac608bdef33740293b78a7ff93a25ca1fe574740c26312a3e740345ee3732226f1fd2d01b02e30ed12e89aac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat

MD5
9e82c8236a781d00b13dd47d5c3d20a5

SHA1
fb8a4f2cbe662c625128f472eb6f50ff954e3629

SHA256
c9422f9e15921eb73d32a25f7ac91d3f8667cc99857333c105994d8e41f72c79

SHA512
a1620da4199be79735aab9e188cec6ee3ecac52f20ad6ac2d8de5a89e1a0cb59bc517e4fb2487de4391a7aa09e8a1cd5ab263cea80200e82c5b7fad16dc1e57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUvcrzcpRj.bat

MD5
a891b45369c144c256c253a2deffedce

SHA1
37cdb1c413f9abb73efd26f75bb19037631925fb

SHA256
c7dde14e252358758da96eb76da4e591a45f98fa716b604781426bae176b9edb

SHA512
831467c23fb0d24308e1ee6af0394c47e162babe3509fae3f65b9887c2c8d6b41445f404df22d09a9073dfcb98b4513b0e914c371bea4a50c7beef2bd30d5202

Download Submit
C:\Windows\System32\KBDINBEN\f3b6ecef712a24

MD5
38050da1be3921932f54e893ec825e38

SHA1
6ad15488d4270266d475aa1a341671f329098fc7

SHA256
ee7a4f276f433cb8b8df58de3941914669bdece1607110d9e593e1b362fa188a

SHA512
5b85e9db62ff4a246f8977acd4c78321e8bf1ba17e0341b6e368e74cec6d9b206b0110f5e66f93fc7dcd84ec5c3abf6969d3cf1c697619b30e85cadad2a0480e

Download Submit
C:\Windows\System32\KBDINBEN\spoolsv.exe

MD5
b5320340037751e10748b6463fab8ee0

SHA1
b3e9a125688e9da67708adfcada41bb56de2cd3d

SHA256
b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

SHA512
67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Download Submit
C:\Windows\System32\KBDINBEN\spoolsv.exe

MD5
b5320340037751e10748b6463fab8ee0

SHA1
b3e9a125688e9da67708adfcada41bb56de2cd3d

SHA256
b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

SHA512
67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Download Submit
C:\Windows\System32\wlansvc\9e8d7a4ca61bd9

MD5
940bd7222e9786f2028fbf2c9a48ed5c

SHA1
750680cb8c53e65cc6c2f598eb2f078d88ac4ebb

SHA256
6c9087ee42b4de6dbb044f72950d1f7707847c785927bf56fa5760bbd31c4d27

SHA512
398aa13fb26273fc423a501e93d1d34bb6be5ce17eec7959050bcac7b6f4272d315e8462df82150ff5a430bf309588ee2aca8a4e4acb4f164d9ffa071b1bc4bf

Download Submit
C:\Windows\System32\wlansvc\RuntimeBroker.exe

MD5
b5320340037751e10748b6463fab8ee0

SHA1
b3e9a125688e9da67708adfcada41bb56de2cd3d

SHA256
b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

SHA512
67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Download Submit
C:\Windows\debug\SearchUI.exe

MD5
b5320340037751e10748b6463fab8ee0

SHA1
b3e9a125688e9da67708adfcada41bb56de2cd3d

SHA256
b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

SHA512
67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Download Submit
C:\Windows\debug\dab4d89cac03ec

MD5
416e449d541fda8af2dcd8156014c6df

SHA1
fda99cfade877b533d9ee33fd0243bb20c1c5e44

SHA256
54aad54b965be7c246bbb5b10c9d64f5de5675812c2078870d7c07953542cffe

SHA512
8dc49edbf31e5b8b63e5a77d067af85d1507b45c567eeb52c21758364dc08e53db67ddf0f02e7fa3548a7991c398bdbd3bc6db85079b49f84a6b2a101f2972b5

Download Submit
memory/736-115-0x0000000000730000-0x000000000095C000-memory.dmp

Filesize
2.2MB

Download
memory/736-124-0x0000000001200000-0x000000000120A000-memory.dmp

Filesize
40KB

Download
memory/736-123-0x0000000001210000-0x000000000121C000-memory.dmp

Filesize
48KB

Download
memory/736-122-0x00000000010C0000-0x00000000010CC000-memory.dmp

Filesize
48KB

Download
memory/736-121-0x000000001C3C0000-0x000000001C8E6000-memory.dmp

Filesize
5.1MB

Download
memory/736-120-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/736-119-0x00000000010A0000-0x00000000010A8000-memory.dmp

Filesize
32KB

Download
memory/736-118-0x0000000001090000-0x000000000109A000-memory.dmp

Filesize
40KB

Download
memory/736-117-0x000000001B880000-0x000000001B882000-memory.dmp

Filesize
8KB

Download
memory/736-116-0x0000000001040000-0x0000000001096000-memory.dmp

Filesize
344KB

Download
memory/776-158-0x00000250F5900000-0x00000250F5902000-memory.dmp

Filesize
8KB

Download
memory/776-205-0x00000250F5906000-0x00000250F5908000-memory.dmp

Filesize
8KB

Download
memory/776-159-0x00000250F5903000-0x00000250F5905000-memory.dmp

Filesize
8KB

Download
memory/1420-201-0x000001D63E346000-0x000001D63E348000-memory.dmp

Filesize
8KB

Download
memory/1420-152-0x000001D63E343000-0x000001D63E345000-memory.dmp

Filesize
8KB

Download
memory/1420-142-0x000001D63E340000-0x000001D63E342000-memory.dmp

Filesize
8KB

Download
memory/1900-199-0x00000173F8A56000-0x00000173F8A58000-memory.dmp

Filesize
8KB

Download
memory/1900-156-0x00000173F8A53000-0x00000173F8A55000-memory.dmp

Filesize
8KB

Download
memory/1900-155-0x00000173F8A50000-0x00000173F8A52000-memory.dmp

Filesize
8KB

Download
memory/3196-329-0x000000001B040000-0x000000001B042000-memory.dmp

Filesize
8KB

Download
memory/3196-330-0x000000001BCE0000-0x000000001BEA2000-memory.dmp

Filesize
1.8MB

Download
memory/3952-145-0x0000022DFBA00000-0x0000022DFBA02000-memory.dmp

Filesize
8KB

Download
memory/3952-203-0x0000022DFBA06000-0x0000022DFBA08000-memory.dmp

Filesize
8KB

Download
memory/3952-160-0x0000022DFB9C0000-0x0000022DFB9E2000-memory.dmp

Filesize
136KB

Download
memory/3952-154-0x0000022DFBA03000-0x0000022DFBA05000-memory.dmp

Filesize
8KB

Download
memory/4012-200-0x0000026FDD636000-0x0000026FDD638000-memory.dmp

Filesize
8KB

Download
memory/4012-165-0x0000026FF7A10000-0x0000026FF7A86000-memory.dmp

Filesize
472KB

Download
memory/4012-157-0x0000026FDD633000-0x0000026FDD635000-memory.dmp

Filesize
8KB

Download
memory/4012-150-0x0000026FDD630000-0x0000026FDD632000-memory.dmp

Filesize
8KB

Download