dcrat | d74b04f8a51f9974eccaad656b53ca535529a82d79d4e451a8bed890df2dce69

Analysis

max time kernel
137s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2023, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08f9a18f4de15af671058b281a60074e.exe
Size

892KB
MD5

08f9a18f4de15af671058b281a60074e
SHA1

a453e40ec014f394f1fca8dc7e98fb4360872611
SHA256

d74b04f8a51f9974eccaad656b53ca535529a82d79d4e451a8bed890df2dce69
SHA512

fb6d8b9d5ed1b6e48dada8bfe6c5a4e343bc9277d656b40210a6814fdffd05bf875cdfae867f3d1661ac7c8dd3c782e55e6a9046307f66cb125dc8edcba7014f
SSDEEP

24576:pLzyRU52j4apzuIPJ0hDSs0od7smDiatqG4yPa:5zyRUZscZ7smDQ

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	4108	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	4108	schtasks.exe	81

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1940-139-0x0000000000400000-0x0000000000456000-memory.dmp	dcrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	08f9a18f4de15af671058b281a60074e.exe

Executes dropped EXE 2 IoCs

pid	Process
4824	explorer.exe
744	explorer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4644 set thread context of 1940	4644	08f9a18f4de15af671058b281a60074e.exe	93
PID 4824 set thread context of 744	4824	explorer.exe	123

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\PackageManifests\explorer.exe	08f9a18f4de15af671058b281a60074e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\0a1fd5f707cd16	08f9a18f4de15af671058b281a60074e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe	08f9a18f4de15af671058b281a60074e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\9e8d7a4ca61bd9	08f9a18f4de15af671058b281a60074e.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5b884080fd4f94	08f9a18f4de15af671058b281a60074e.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\7a0fd90576e088	08f9a18f4de15af671058b281a60074e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sppsvc.exe	08f9a18f4de15af671058b281a60074e.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe	08f9a18f4de15af671058b281a60074e.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe	08f9a18f4de15af671058b281a60074e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Media\Afternoon\24dbde2999530e	08f9a18f4de15af671058b281a60074e.exe
File created	C:\Windows\Media\Afternoon\WmiPrvSE.exe	08f9a18f4de15af671058b281a60074e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3392	schtasks.exe
3672	schtasks.exe
2272	schtasks.exe
3668	schtasks.exe
3940	schtasks.exe
4312	schtasks.exe
3348	schtasks.exe
2856	schtasks.exe
3360	schtasks.exe
4776	schtasks.exe
2724	schtasks.exe
4988	schtasks.exe
2200	schtasks.exe
1360	schtasks.exe
2416	schtasks.exe
3700	schtasks.exe
1456	schtasks.exe
4580	schtasks.exe
1916	schtasks.exe
4264	schtasks.exe
2540	schtasks.exe
3568	schtasks.exe
4608	schtasks.exe
5080	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	08f9a18f4de15af671058b281a60074e.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4644	08f9a18f4de15af671058b281a60074e.exe
4644	08f9a18f4de15af671058b281a60074e.exe
1940	08f9a18f4de15af671058b281a60074e.exe
1940	08f9a18f4de15af671058b281a60074e.exe
1940	08f9a18f4de15af671058b281a60074e.exe
1940	08f9a18f4de15af671058b281a60074e.exe
1940	08f9a18f4de15af671058b281a60074e.exe
1940	08f9a18f4de15af671058b281a60074e.exe
1940	08f9a18f4de15af671058b281a60074e.exe
1940	08f9a18f4de15af671058b281a60074e.exe
1940	08f9a18f4de15af671058b281a60074e.exe
1940	08f9a18f4de15af671058b281a60074e.exe
1940	08f9a18f4de15af671058b281a60074e.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4644	08f9a18f4de15af671058b281a60074e.exe
Token: SeDebugPrivilege	1940	08f9a18f4de15af671058b281a60074e.exe
Token: SeDebugPrivilege	744	explorer.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 3816	4644	08f9a18f4de15af671058b281a60074e.exe	92
PID 4644 wrote to memory of 3816	4644	08f9a18f4de15af671058b281a60074e.exe	92
PID 4644 wrote to memory of 3816	4644	08f9a18f4de15af671058b281a60074e.exe	92
PID 4644 wrote to memory of 1940	4644	08f9a18f4de15af671058b281a60074e.exe	93
PID 4644 wrote to memory of 1940	4644	08f9a18f4de15af671058b281a60074e.exe	93
PID 4644 wrote to memory of 1940	4644	08f9a18f4de15af671058b281a60074e.exe	93
PID 4644 wrote to memory of 1940	4644	08f9a18f4de15af671058b281a60074e.exe	93
PID 4644 wrote to memory of 1940	4644	08f9a18f4de15af671058b281a60074e.exe	93
PID 4644 wrote to memory of 1940	4644	08f9a18f4de15af671058b281a60074e.exe	93
PID 4644 wrote to memory of 1940	4644	08f9a18f4de15af671058b281a60074e.exe	93
PID 4644 wrote to memory of 1940	4644	08f9a18f4de15af671058b281a60074e.exe	93
PID 1940 wrote to memory of 4508	1940	08f9a18f4de15af671058b281a60074e.exe	118
PID 1940 wrote to memory of 4508	1940	08f9a18f4de15af671058b281a60074e.exe	118
PID 1940 wrote to memory of 4508	1940	08f9a18f4de15af671058b281a60074e.exe	118
PID 4508 wrote to memory of 4928	4508	cmd.exe	120
PID 4508 wrote to memory of 4928	4508	cmd.exe	120
PID 4508 wrote to memory of 4928	4508	cmd.exe	120
PID 4928 wrote to memory of 4876	4928	w32tm.exe	121
PID 4928 wrote to memory of 4876	4928	w32tm.exe	121
PID 4508 wrote to memory of 4824	4508	cmd.exe	122
PID 4508 wrote to memory of 4824	4508	cmd.exe	122
PID 4508 wrote to memory of 4824	4508	cmd.exe	122
PID 4824 wrote to memory of 744	4824	explorer.exe	123
PID 4824 wrote to memory of 744	4824	explorer.exe	123
PID 4824 wrote to memory of 744	4824	explorer.exe	123
PID 4824 wrote to memory of 744	4824	explorer.exe	123
PID 4824 wrote to memory of 744	4824	explorer.exe	123
PID 4824 wrote to memory of 744	4824	explorer.exe	123
PID 4824 wrote to memory of 744	4824	explorer.exe	123
PID 4824 wrote to memory of 744	4824	explorer.exe	123

C:\Users\Admin\AppData\Local\Temp\08f9a18f4de15af671058b281a60074e.exe
"C:\Users\Admin\AppData\Local\Temp\08f9a18f4de15af671058b281a60074e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Local\Temp\08f9a18f4de15af671058b281a60074e.exe
  "C:\Users\Admin\AppData\Local\Temp\08f9a18f4de15af671058b281a60074e.exe"
  2⤵
  PID:3816
- C:\Users\Admin\AppData\Local\Temp\08f9a18f4de15af671058b281a60074e.exe
  "C:\Users\Admin\AppData\Local\Temp\08f9a18f4de15af671058b281a60074e.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N6EOGjO316.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4876
  - - C:\Program Files\Microsoft Office\PackageManifests\explorer.exe
      "C:\Program Files\Microsoft Office\PackageManifests\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Program Files\Microsoft Office\PackageManifests\explorer.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\Media\Afternoon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Media\Afternoon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Afternoon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\PackageManifests\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\odt\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\PackageManifests\explorer.exe

Filesize
892KB

MD5
08f9a18f4de15af671058b281a60074e

SHA1
a453e40ec014f394f1fca8dc7e98fb4360872611

SHA256
d74b04f8a51f9974eccaad656b53ca535529a82d79d4e451a8bed890df2dce69

SHA512
fb6d8b9d5ed1b6e48dada8bfe6c5a4e343bc9277d656b40210a6814fdffd05bf875cdfae867f3d1661ac7c8dd3c782e55e6a9046307f66cb125dc8edcba7014f

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\explorer.exe

Filesize
892KB

MD5
08f9a18f4de15af671058b281a60074e

SHA1
a453e40ec014f394f1fca8dc7e98fb4360872611

SHA256
d74b04f8a51f9974eccaad656b53ca535529a82d79d4e451a8bed890df2dce69

SHA512
fb6d8b9d5ed1b6e48dada8bfe6c5a4e343bc9277d656b40210a6814fdffd05bf875cdfae867f3d1661ac7c8dd3c782e55e6a9046307f66cb125dc8edcba7014f

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\explorer.exe

Filesize
892KB

MD5
08f9a18f4de15af671058b281a60074e

SHA1
a453e40ec014f394f1fca8dc7e98fb4360872611

SHA256
d74b04f8a51f9974eccaad656b53ca535529a82d79d4e451a8bed890df2dce69

SHA512
fb6d8b9d5ed1b6e48dada8bfe6c5a4e343bc9277d656b40210a6814fdffd05bf875cdfae867f3d1661ac7c8dd3c782e55e6a9046307f66cb125dc8edcba7014f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\08f9a18f4de15af671058b281a60074e.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\N6EOGjO316.bat

Filesize
228B

MD5
3b29f3ded8a9951fec164ed18e8039ed

SHA1
6515149ead20e04cfb2ecd338b7a518121e9d3ee

SHA256
5c41a8dcc1bb6af9cac532dce80aaad92d99032693a6ecb0bd66c65178afd89c

SHA512
f53ae734944ef0e0ce60e2f7b4c2128bc2263e042c34ec69e0fe5edcab5c60861e182aeee873544d96425d026e220c8c37180749a4949ef4c53af7785bae1a49

Download Submit
memory/744-153-0x0000000007840000-0x0000000007890000-memory.dmp

Filesize
320KB

Download
memory/1940-139-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1940-141-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/4644-132-0x0000000000FC0000-0x00000000010A6000-memory.dmp

Filesize
920KB

Download
memory/4644-136-0x0000000009470000-0x000000000950C000-memory.dmp

Filesize
624KB

Download
memory/4644-135-0x0000000005B10000-0x0000000005B1A000-memory.dmp

Filesize
40KB

Download
memory/4644-134-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/4644-133-0x00000000060F0000-0x0000000006694000-memory.dmp

Filesize
5.6MB

Download