Overview

overview

10

Static

static

3

DCRatBuild.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    29-10-2024 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    1.8MB

  • MD5

    013bc21b187fbf033bdeec699b2263b5

  • SHA1

    78a44777f96bdd338e037fc87c548fe9b6e7f241

  • SHA256

    191d579dcc73daaca18b2442b8411f05d50ad19ea1ba834a0e2c67414edfdaf5

  • SHA512

    332b58b80ed3b88bbaaf59c4b3ab8735af56e6377ed36d8da625fd8c139d5607a7f5de603d85ba155dd78fdaca46e3a456693afd32b5cb1d88567e765a35abf0

  • SSDEEP

    24576:2TbBv5rUyXVuTutB3BpIRgMS/JiVQZph3Ute6XjQ+O34nNRB2PfC0xOhAjKEge1o:IBJuTu3ERX2Ysh30Ep34NKTxOWjKECd

Score
10/10
dcratdiscoveryevasionexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Driverruntimeperfdll\m71jv3paESEH9S1QA3ZsNaBNLB28NhVlZEjuWU.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4792
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Driverruntimeperfdll\uPDozmlRKjrXNChMTgfGYis2.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3376
        • C:\Driverruntimeperfdll\surrogatesavesBrokerhost.exe
          "C:\Driverruntimeperfdll/surrogatesavesBrokerhost.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3836
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sayvqw1v\sayvqw1v.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1964
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EA1.tmp" "c:\Windows\System32\CSC52D61454D59D449C822E95538ED4F0FF.TMP"
              6⤵
                PID:2416
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4156
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2976
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4516
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Driverruntimeperfdll/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:772
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:656
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3748
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2136
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3624
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3032
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4276
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1616
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3496
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3872
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\wininit.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4888
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\fr-FR\dllhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2500
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3412
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\wininit.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3380
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Driverruntimeperfdll\surrogatesavesBrokerhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1848
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKO0We7prI.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2856
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4208
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:5380
                • C:\Program Files\Windows Defender Advanced Threat Protection\fr-FR\dllhost.exe
                  "C:\Program Files\Windows Defender Advanced Threat Protection\fr-FR\dllhost.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  PID:5896
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4040
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4968
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1188
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\fr-FR\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2932
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\fr-FR\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2300
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\fr-FR\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2184
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5040
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4504
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\NetHood\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\NetHood\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2160
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3512
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "surrogatesavesBrokerhosts" /sc MINUTE /mo 5 /tr "'C:\Driverruntimeperfdll\surrogatesavesBrokerhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2984
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "surrogatesavesBrokerhost" /sc ONLOGON /tr "'C:\Driverruntimeperfdll\surrogatesavesBrokerhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "surrogatesavesBrokerhosts" /sc MINUTE /mo 9 /tr "'C:\Driverruntimeperfdll\surrogatesavesBrokerhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2676

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Driverruntimeperfdll\m71jv3paESEH9S1QA3ZsNaBNLB28NhVlZEjuWU.vbe
        Filesize

        222B

        MD5

        b6b3920b58d924e219828c67336f9202

        SHA1

        cb1edfba46ed630f75d694921ee738880dffd095

        SHA256

        f16ba871ed12b8a447a30c861a27a1324a11346541aabdc38469adcce6d3adaa

        SHA512

        04e583eb72e34c3f5ebf7b24cc4fe97d52e4a1e2b8deeef20210bcf82161e7cfeebf467767e246c0b4af948a71ca1768ab61e416e915f72eba55e7cca23cab3b

        Download Submit

      • C:\Driverruntimeperfdll\surrogatesavesBrokerhost.exe
        Filesize

        1.9MB

        MD5

        967181542acac77f5b13f46542e84812

        SHA1

        09fbf9cfb636459cc4d54308b5b1c91d32a29f22

        SHA256

        277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2

        SHA512

        323023582fcc14c30aca827db68bb91204a5e6dc894bb1228370a3c925bb28559778f09a0b3d4581d462921630cede3ac1cd4c864357ee5b4928698e5bbdf082

        Download Submit

      • C:\Driverruntimeperfdll\uPDozmlRKjrXNChMTgfGYis2.bat
        Filesize

        222B

        MD5

        132d5c788d06205db0e25a0b3c6bf78e

        SHA1

        d729095f4934409561af630b79c5ec3272d452b5

        SHA256

        ae76410765fd16a45a999b3a5a60a89a61c0edaa453144127664142fb360699c

        SHA512

        899f1ed8d047b5d9aad48239e78d7025d9aeb305514fa3c23e1d692a3a24f9358ebe98e9bdce8054df25c728d355260230b4d8858a4987030793dfd8f9f0597b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        020d1cbef5aeb22088c0faff8d76af4e

        SHA1

        93e7f27b8fb57cfea4ae330bedcace1a8ce7c014

        SHA256

        cb283829df7f7ca2f7f8072ed014bebb7d424581e8672a9fa5683f3674726bb0

        SHA512

        1046228ed9d08e5296c02409b5aa460e8280a633f7f2022ec7dc7c1e750522260006844bd5114ec713593bce1d10b8932963a8630e6707e76b45a0cb8c8ff53d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        af1cc13f412ef37a00e668df293b1584

        SHA1

        8973b3e622f187fcf484a0eb9fa692bf3e2103cb

        SHA256

        449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

        SHA512

        75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        90d696d6a8ab185c1546b111fa208281

        SHA1

        b0ce1efde1dad3d65f7a78d1f6467d8a1090d659

        SHA256

        78497ed2c4ccac6e870afc80224724f45a7356bde55580a5c6ea52ef5079a3f4

        SHA512

        0a19628ae31ec31f382b3fd430c205a39985730e12c608b66b83ee4826e3f3fc9f4a034e03f38ac5260defdf805b927528ffca1a2ccdd59d9bfe05822923c4ba

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        60b3262c3163ee3d466199160b9ed07d

        SHA1

        994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

        SHA256

        e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

        SHA512

        081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        26c94c408a5a2e1e04f1191fc2902d3e

        SHA1

        ce50b153be03511bd62a477abf71a7e9f94e68a5

        SHA256

        86ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec

        SHA512

        70e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        8bd23aab2f3dde6d419bc23912cedd13

        SHA1

        10dc192ce97798bafb97afc025fc48c87bbae61e

        SHA256

        f4ef5307e90a68fc6882f59f6005d8459688d1000e58594d11f576e923a0c99b

        SHA512

        ab80c811f3f7e8bb620732c4315eb2a42b2239fddd5ec0eafa46b005760faa3c9c0301d91330cffd8e79c49c0d3d847ce8afbafe1889f3f1822313015c8c5ff5

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        c5f67682ca7a065a4b73be7f11a53548

        SHA1

        f7439e2bdd1dccdfd581db2e24b7bd51b274837e

        SHA256

        4644634fe9c942d8f31365e20782bf623f10381766602cf34bd76ae1cc68785f

        SHA512

        4291d74ee55d41bdfe91d14e3a16a0e3cf592f077ffeb7424b7943ee4ab3a40e3b7cd1c3b9826110c46544d6e60aa9e933b473863f63b5b52a4013a50a9c0b82

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        f0731f5760fdaec554ebeac92c5b858a

        SHA1

        4ac0a7f4cac1a8993d8d2e41490519b203272aec

        SHA256

        994163ee07fb3c0657229e7adbe8e3468d8f134c607552668a48660f70067e2e

        SHA512

        7fdbf4c8b22f2a36b32212dc41c5379496c8a4a670a6b13eeac02ebfbc394035ff25a8d79ae0a16c4f5f22bd5f59a141bb5774ba5439d1894e5363b3214dde33

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MKO0We7prI.bat
        Filesize

        206B

        MD5

        e4c3d0c694955b7f232f184933942936

        SHA1

        4291ad1bf04661bec750f8e21d1ebd986f65aaef

        SHA256

        7aea6fc135c55d5b1ba100288f1c0feb529d33005b8af2b7312f06c2fbfb933c

        SHA512

        ee8b5867a1d68a52dc1a5a6532358af70558226325e558b44dc862d45967b5b2cc0cf73dfbcfd14fdb5410727ba4f08c3a5da599c0e58578a58e5406a7bfc7d9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES9EA1.tmp
        Filesize

        1KB

        MD5

        55f918b79ed4dd86d459cf2e36710146

        SHA1

        8b6453bd72058203f1846eb649d91c7d380557a9

        SHA256

        168ad0d9b8f1b143513bd387978c13ce2be7a215ce47f18e0654c8a872596ebc

        SHA512

        f1b32ed5b53623b419ba369c41381a448f17647b216002b948e119d73dbca62f16984416495310d517c32bf7d78962e3de3ffccdbc05c4660640cd5fc10000c3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3lpo30kv.00y.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\sayvqw1v\sayvqw1v.0.cs
        Filesize

        365B

        MD5

        f1949f48606788d50bf19a55a43d326e

        SHA1

        9e078a4a62153810102fc77506d98affc9f49c56

        SHA256

        5157bfcef0976ae0ee34849c77fa38ba384c6cb5b80ac5789212ef5ce13d43f7

        SHA512

        2a1555799c53f732d72848f03cbdf5b15b4b4bd01ca948473ec1bbb4062c4d287004bd2e797c8ec1a4efc55299573eb13a43e69788d092cc3a8abbbb32bf4fd7

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\sayvqw1v\sayvqw1v.cmdline
        Filesize

        235B

        MD5

        754429d8e8858b4662cae2871f1edd99

        SHA1

        9b2d00a77dce3f430784bba3fb1da86d9c003aaa

        SHA256

        dab5fd647f3fcfe49d1fff8461e244b764f315f01ca1f0c29db9fb66bcd531e2

        SHA512

        b862e69a992b5ca5dfa8196fd2428a1d8e8ade7e66402325435a3d839c238f1e0a7ef11813f47745ef5fed45100a5817b53280578cfcc04325a5709eb868ecf2

        Download Submit

      • \??\c:\Windows\System32\CSC52D61454D59D449C822E95538ED4F0FF.TMP
        Filesize

        1KB

        MD5

        7f5a99b73bc2f54b87adcbabdbd154b6

        SHA1

        4f36b714e88423822ad621b953316959e4daea04

        SHA256

        bbbf732eb476941c61919cbfe6ee039a5515ff472bc09874096f641e287cf0fc

        SHA512

        8c62f8fce3c3e6e1b635032ef108927582c54295ab0c6b69a9e09898aaea2a85d46406a8f943997f92a1c7ecdd5f8695cd091666b6fea30c0029f618d5c0feb5

        Download Submit

      • memory/3836-28-0x0000000000C90000-0x0000000000C9C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3836-26-0x0000000000C80000-0x0000000000C8E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3836-24-0x0000000000C70000-0x0000000000C7C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3836-22-0x0000000000CD0000-0x0000000000CE8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3836-20-0x0000000000D20000-0x0000000000D70000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3836-19-0x0000000000CB0000-0x0000000000CCC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3836-17-0x0000000000C60000-0x0000000000C6E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3836-15-0x0000000000240000-0x000000000042E000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/4156-64-0x0000020D77CC0000-0x0000020D77CE2000-memory.dmp

        Filesize

        136KB

        Download