dcrat | 85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87

Analysis

max time kernel
0s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWJ3rhzJmNpT0H.exe
Size

1.7MB
MD5

f110d8cce9bfb48c7360203fa38d21c7
SHA1

b25dc35fe3741b5c6cf8286d65067920fb89823b
SHA256

85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87
SHA512

506cd39bc1cbcc9550cc726bc237a25c463512eec8c59f3b5990f207694f17dabd84e650676377c0b456f85ea61064fc0c55029390e82e0fece594982a223ad0
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1464-0-0x0000000000960000-0x0000000000B16000-memory.dmp	dcrat
behavioral2/files/0x000600000002320f-29.dat	dcrat
behavioral2/files/0x000a000000023124-99.dat	dcrat
behavioral2/files/0x000700000002323e-215.dat	dcrat
behavioral2/files/0x000600000002322f-403.dat	dcrat
behavioral2/files/0x000600000002322f-402.dat	dcrat
behavioral2/files/0x000600000002322f-425.dat	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	XWJ3rhzJmNpT0H.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe	XWJ3rhzJmNpT0H.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\6203df4a6bafc7	XWJ3rhzJmNpT0H.exe

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
712	schtasks.exe
3132	schtasks.exe
3904	schtasks.exe
2564	schtasks.exe
1912	schtasks.exe
4572	schtasks.exe
2076	schtasks.exe
3380	schtasks.exe
4604	schtasks.exe
3384	schtasks.exe
1656	schtasks.exe
4116	schtasks.exe
3936	schtasks.exe
4820	schtasks.exe
1212	schtasks.exe
528	schtasks.exe
2636	schtasks.exe
1476	schtasks.exe
3248	schtasks.exe
4080	schtasks.exe
3968	schtasks.exe
828	schtasks.exe
2148	schtasks.exe
3648	schtasks.exe
3812	schtasks.exe
4292	schtasks.exe
760	schtasks.exe
3316	schtasks.exe
368	schtasks.exe
2448	schtasks.exe
4136	schtasks.exe
3888	schtasks.exe
3468	schtasks.exe
3120	schtasks.exe
4312	schtasks.exe
3112	schtasks.exe
524	schtasks.exe
4496	schtasks.exe
2212	schtasks.exe
1304	schtasks.exe
4300	schtasks.exe
4716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1464	XWJ3rhzJmNpT0H.exe
1464	XWJ3rhzJmNpT0H.exe
1464	XWJ3rhzJmNpT0H.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	XWJ3rhzJmNpT0H.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XWJ3rhzJmNpT0H.exe
"C:\Users\Admin\AppData\Local\Temp\XWJ3rhzJmNpT0H.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  PID:5024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  PID:1876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gzt5yWbeOH.bat"
  2⤵
  PID:4664
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5596
- - C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
    "C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
    3⤵
    PID:5336
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d9055d9-434e-4c8b-a394-62ab282864bd.vbs"
      4⤵
      PID:5592
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e37a0164-8554-44b1-815d-4d5f7c825ab3.vbs"
      4⤵
      PID:5572
    - - C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
        
        C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
        5⤵
        
        PID:3244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  PID:4152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  PID:748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  PID:4744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\fonts\SearchApp.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Festival\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Media\Festival\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Festival\fontdrvhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\csrss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fonts\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\odt\upfc.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\Idle.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe

Filesize
24KB

MD5
7212d40d2c919cc2f2f519f68ce1509e

SHA1
6f8b1dcae09f1952c97793ba460a656958b361d8

SHA256
a86497e26b03ef825a3af82ef5dd7dc35d40cdcda10b9e4992c265abb14e4b77

SHA512
ee4ebff93b7c2c6f7705da2aca6a7b38847559cd37074c4011476bae90119dea580f39d2c8a04a01837ed9368ba97b1d1e6349fcd97342c19f3d3365d6878008

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

Filesize
82KB

MD5
e6f40da94746e76c184ad17ea0ab043f

SHA1
d52bc467e6c16cb54a9ac1e439914b157aff4b0e

SHA256
8617bab40e76c7f57f783e969169e5fe621e77fda571c4a0489a12ea98ac892b

SHA512
9d1defbdb21cf514113f40af1154f798ba36732cc5f2456cb9231e6c25314547cedbf98299e7e7cda0218606c0bd8328ff0e75a5b546048d6dadfcc29e179d29

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

Filesize
64KB

MD5
c59855ea1f7380684dcc97b6fbdad91b

SHA1
2dee64530ba6aac7f84d6ea6dfe2f9a23e064c9d

SHA256
505380863bd6b9714cdad1c459ecb374ed06f188760e5025149661e24d2892c0

SHA512
dc00ee067b08e2b4f461424d5aebf9ad047b0987e29f87f8e9cbe7a1729c2a102ed272d1bc1cdadab8a51efc7e4f8539a273d99947da52033fe4a3d266704f01

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

Filesize
41KB

MD5
e7284b20ae7e1e9fa683b3dbf1ef1804

SHA1
3247f2e306c736c3b7eea93c1809df4468967e0e

SHA256
5caa314698e3eb72965e75856246d3873f56d08937e37bf892a82227e6d51eb8

SHA512
e608441c4f6cbf9651007dca4026ff2554d026253581752a21a2c8fe9794183edb66aa12b242c0022ba0cee0b6b1030026ce28884760e51285d18b0c991aabfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d9055d9-434e-4c8b-a394-62ab282864bd.vbs

Filesize
501B

MD5
77b41ab0f26affd98dadd57a5d7dcf75

SHA1
64175c8f0a33ba6ac588dab52a8046ad3f4d9485

SHA256
e454cd05afa2856b97d85fbf0e52af919090c81df3e03554ca94e08db7fc3a00

SHA512
c0b25f399940db71b90b81b1f3b1940c3aa55f69a597d33fccd26e25f4710273802a2d3bbdc0bd20fc888f3852aaa1ceeb2a9f4d5bdced6592404b6997ca1a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gzt5yWbeOH.bat

Filesize
214B

MD5
dcb481c3d020f6304a52b6efdf2afdab

SHA1
6e691d4e50d0ca83b6a348be365c56fa85902811

SHA256
a2787dea510c5030bc2b8f1c87cef7d6cf75b8298e73c2f7c5f6f3e83f781e89

SHA512
3bd8c44dd1129ac86d20d75cc3c41976edaf1f8d5bca009b7ac4ed72ec066155eedfc7266581337e7e422dcb23c5514109737a2be8b7eafde4a0e85dd4d421e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zxdyxwf0.3us.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e37a0164-8554-44b1-815d-4d5f7c825ab3.vbs

Filesize
725B

MD5
e1759102406df2bdd165b7ecd5885914

SHA1
41e7d1d224d113638d15265761fb25d2b3573276

SHA256
328fb89f309c7d7aaef64917433d2c4cd1fb9f2c8840d9eeef6bdb33ac187e3a

SHA512
19a65e7d7bc0a53c1336436b7e71185be238239197e5b6a47f4a0e6b067b80da8bbde686bd300675cdfcc3a0db0a03a1d99be44834c25f6f93d4cfea2fea08c7

Download Submit
C:\odt\WmiPrvSE.exe

Filesize
385KB

MD5
fe583b393872d08daecf1d47224fb592

SHA1
15d1cca475391c6b1736eeda1db1d16d7c59ca0f

SHA256
63557e0666e06d080134af199ecb3e148621412793c9f20e2a9eb1dbe3b7a782

SHA512
31e6838aa0e58c352c1392ab6c3db81732562b04bae08cc973a53f609dc5ec2b0adb429930a9499a628652854b5a9b3bc52050366cdea38a395dd9ccf9d623b9

Download Submit
C:\odt\upfc.exe

Filesize
655KB

MD5
ed6cfcd6612659b886c6ed518a832569

SHA1
2847cab03357c2850793ebead4df19988dde6b74

SHA256
74c8fa5af0c421ba203df454735109b2f90e07c2483b934203e68daf56080bef

SHA512
206973f34ede4500fee4ee367c40989f09fc68b7440561400215502e56e7085488af5109f0e050e16495b65462e02e328b48295e90bfeb739e1bb5e23cc56cc5

Download Submit
memory/748-374-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/748-228-0x0000029050E00000-0x0000029050E10000-memory.dmp

Filesize
64KB

Download
memory/748-227-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/748-229-0x0000029050E00000-0x0000029050E10000-memory.dmp

Filesize
64KB

Download
memory/1208-387-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/1208-316-0x0000023BE4F80000-0x0000023BE4F90000-memory.dmp

Filesize
64KB

Download
memory/1208-327-0x0000023BE4F80000-0x0000023BE4F90000-memory.dmp

Filesize
64KB

Download
memory/1208-251-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/1464-4-0x000000001B810000-0x000000001B860000-memory.dmp

Filesize
320KB

Download
memory/1464-0-0x0000000000960000-0x0000000000B16000-memory.dmp

Filesize
1.7MB

Download
memory/1464-2-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download
memory/1464-1-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/1464-8-0x0000000001420000-0x0000000001432000-memory.dmp

Filesize
72KB

Download
memory/1464-7-0x0000000002D30000-0x0000000002D46000-memory.dmp

Filesize
88KB

Download
memory/1464-10-0x0000000002EE0000-0x0000000002EEC000-memory.dmp

Filesize
48KB

Download
memory/1464-17-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download
memory/1464-3-0x00000000012D0000-0x00000000012EC000-memory.dmp

Filesize
112KB

Download
memory/1464-14-0x000000001B870000-0x000000001B87C000-memory.dmp

Filesize
48KB

Download
memory/1464-11-0x0000000002EF0000-0x0000000002EF8000-memory.dmp

Filesize
32KB

Download
memory/1464-226-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/1464-5-0x0000000001400000-0x0000000001408000-memory.dmp

Filesize
32KB

Download
memory/1464-13-0x0000000002F00000-0x0000000002F0C000-memory.dmp

Filesize
48KB

Download
memory/1464-16-0x0000000002F10000-0x0000000002F1A000-memory.dmp

Filesize
40KB

Download
memory/1464-15-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download
memory/1464-43-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download
memory/1464-18-0x0000000002F20000-0x0000000002F28000-memory.dmp

Filesize
32KB

Download
memory/1464-9-0x0000000002D50000-0x0000000002D60000-memory.dmp

Filesize
64KB

Download
memory/1464-20-0x000000001B860000-0x000000001B86C000-memory.dmp

Filesize
48KB

Download
memory/1464-19-0x0000000002F30000-0x0000000002F3C000-memory.dmp

Filesize
48KB

Download
memory/1464-6-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/1876-363-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/1876-359-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-353-0x000002A64FE20000-0x000002A64FE30000-memory.dmp

Filesize
64KB

Download
memory/1960-396-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-352-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-354-0x000002A64FE20000-0x000002A64FE30000-memory.dmp

Filesize
64KB

Download
memory/2100-388-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2100-364-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2100-358-0x000001D1D30C0000-0x000001D1D30D0000-memory.dmp

Filesize
64KB

Download
memory/2124-395-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2124-328-0x0000024D74CA0000-0x0000024D74CB0000-memory.dmp

Filesize
64KB

Download
memory/2124-317-0x0000024D74CA0000-0x0000024D74CB0000-memory.dmp

Filesize
64KB

Download
memory/2124-293-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2312-389-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2312-355-0x000001850A400000-0x000001850A410000-memory.dmp

Filesize
64KB

Download
memory/2312-365-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2312-356-0x000001850A400000-0x000001850A410000-memory.dmp

Filesize
64KB

Download
memory/2420-350-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2420-351-0x00000291EC970000-0x00000291EC980000-memory.dmp

Filesize
64KB

Download
memory/2420-375-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2600-366-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2600-400-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2600-357-0x000001F0764E0000-0x000001F0764F0000-memory.dmp

Filesize
64KB

Download
memory/4152-362-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/4152-397-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/4152-239-0x000001FC6C110000-0x000001FC6C120000-memory.dmp

Filesize
64KB

Download
memory/4152-240-0x000001FC6C110000-0x000001FC6C120000-memory.dmp

Filesize
64KB

Download
memory/4744-390-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/4744-225-0x0000020E6D030000-0x0000020E6D040000-memory.dmp

Filesize
64KB

Download
memory/4744-224-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/5024-378-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/5024-349-0x000001874EA40000-0x000001874EA50000-memory.dmp

Filesize
64KB

Download
memory/5024-348-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmp

Filesize
10.8MB

Download
memory/5024-241-0x0000018766DA0000-0x0000018766DC2000-memory.dmp

Filesize
136KB

Download