dcrat | 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714

Resubmissions

14/01/2025, 04:24

250114-e1k7payngl 10

14/01/2025, 03:04

250114-dkkesaxmar 10

Analysis

max time kernel
103s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2025, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Size

16.0MB
MD5

5aa236eabe65a1e444f1eb31fb330eba
SHA1

b6a8d5362991511526ea5a2b86ad70f05e70652c
SHA256

3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714
SHA512

0ab8e56f1f8a09491d96416bdc2798874ff153ef56c6476cd9eda9fe0744e77f56132073524f1a2719a75d5dea8dcd5706ee1497867f8b3e62c9a52641afc0be
SSDEEP

98304:mjHzjFPB6n2gC9U851tTRIXDNgn+ojsSw9y4Q1vL3NPt:yHHFPgns9BvpyNgnNW4

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32Local\\wininit.exe\""	DriverbrokerCrtDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32Local\\wininit.exe\", \"C:\\portBrokerDll\\DriverbrokerCrtDhcp.exe\""	DriverbrokerCrtDhcp.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	3504	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	3504	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	3504	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	3504	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	3504	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	3504	schtasks.exe	90

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1508	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	XenoSetup(1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DriverbrokerCrtDhcp.exe

Executes dropped EXE 4 IoCs

pid	Process
4000	XenoSetup(1).exe
4200	Xeno.exe
932	DriverbrokerCrtDhcp.exe
5048	wininit.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverbrokerCrtDhcp = "\"C:\\portBrokerDll\\DriverbrokerCrtDhcp.exe\""	DriverbrokerCrtDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverbrokerCrtDhcp = "\"C:\\portBrokerDll\\DriverbrokerCrtDhcp.exe\""	DriverbrokerCrtDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XenoSetup(1) = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XenoSetup(1).exe"	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32Local\\wininit.exe\""	DriverbrokerCrtDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32Local\\wininit.exe\""	DriverbrokerCrtDhcp.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCDEEC61457B52487D81EB76F8197D1F73.TMP	csc.exe
File created	\??\c:\Windows\System32\enb1sa.exe	csc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32Local\wininit.exe	DriverbrokerCrtDhcp.exe
File opened for modification	C:\Windows\System32Local\wininit.exe	DriverbrokerCrtDhcp.exe
File created	C:\Windows\System32Local\56085415360792	DriverbrokerCrtDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XenoSetup(1).exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	XenoSetup(1).exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	DriverbrokerCrtDhcp.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4996	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2040	schtasks.exe
1108	schtasks.exe
868	schtasks.exe
1496	schtasks.exe
1524	schtasks.exe
4972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1508	powershell.exe
1508	powershell.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe
932	DriverbrokerCrtDhcp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	932	DriverbrokerCrtDhcp.exe
Token: SeDebugPrivilege	5048	wininit.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1508	4884	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	82
PID 4884 wrote to memory of 1508	4884	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	82
PID 4884 wrote to memory of 4000	4884	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	84
PID 4884 wrote to memory of 4000	4884	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	84
PID 4884 wrote to memory of 4000	4884	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	84
PID 4884 wrote to memory of 4200	4884	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	85
PID 4884 wrote to memory of 4200	4884	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	85
PID 4000 wrote to memory of 4296	4000	XenoSetup(1).exe	86
PID 4000 wrote to memory of 4296	4000	XenoSetup(1).exe	86
PID 4000 wrote to memory of 4296	4000	XenoSetup(1).exe	86
PID 4296 wrote to memory of 4472	4296	WScript.exe	94
PID 4296 wrote to memory of 4472	4296	WScript.exe	94
PID 4296 wrote to memory of 4472	4296	WScript.exe	94
PID 4472 wrote to memory of 4996	4472	cmd.exe	96
PID 4472 wrote to memory of 4996	4472	cmd.exe	96
PID 4472 wrote to memory of 4996	4472	cmd.exe	96
PID 4472 wrote to memory of 932	4472	cmd.exe	97
PID 4472 wrote to memory of 932	4472	cmd.exe	97
PID 932 wrote to memory of 3112	932	DriverbrokerCrtDhcp.exe	102
PID 932 wrote to memory of 3112	932	DriverbrokerCrtDhcp.exe	102
PID 3112 wrote to memory of 2300	3112	csc.exe	104
PID 3112 wrote to memory of 2300	3112	csc.exe	104
PID 932 wrote to memory of 3176	932	DriverbrokerCrtDhcp.exe	105
PID 932 wrote to memory of 3176	932	DriverbrokerCrtDhcp.exe	105
PID 3176 wrote to memory of 3056	3176	csc.exe	108
PID 3176 wrote to memory of 3056	3176	csc.exe	108
PID 932 wrote to memory of 2772	932	DriverbrokerCrtDhcp.exe	112
PID 932 wrote to memory of 2772	932	DriverbrokerCrtDhcp.exe	112
PID 2772 wrote to memory of 2176	2772	cmd.exe	114
PID 2772 wrote to memory of 2176	2772	cmd.exe	114
PID 2772 wrote to memory of 4292	2772	cmd.exe	115
PID 2772 wrote to memory of 4292	2772	cmd.exe	115
PID 2772 wrote to memory of 5048	2772	cmd.exe	116
PID 2772 wrote to memory of 5048	2772	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
"C:\Users\Admin\AppData\Local\Temp\3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe
  "C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4996
    - - C:\portBrokerDll\DriverbrokerCrtDhcp.exe
        
        "C:\portBrokerDll/DriverbrokerCrtDhcp.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:932
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bxplnx0g\bxplnx0g.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2872.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC197EB2C92DBC466EB6BC99E23421FB.TMP"
        7⤵
        
        PID:2300
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oxwkedna\oxwkedna.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28EF.tmp" "c:\Windows\System32\CSCDEEC61457B52487D81EB76F8197D1F73.TMP"
        7⤵
        
        PID:3056
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ao2pcUbWlQ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4292
        
        C:\Windows\System32Local\wininit.exe
        
        "C:\Windows\System32Local\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
- C:\Users\Admin\AppData\Local\Temp\Xeno.exe
  "C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
  2⤵
  - Executes dropped EXE
  PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\System32Local\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32Local\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\System32Local\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 5 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DriverbrokerCrtDhcp" /sc ONLOGON /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 6 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2872.tmp

Filesize
1KB

MD5
d61f0ea590c5ce8e27787ee54dab90da

SHA1
5689cc4501c744f578943a9a94ae13ff0d17d089

SHA256
acbadbe5f0c87f0dd2a60f8ff0b08c2ee7b42d5677018198a73dd12e83860cea

SHA512
d83a51be38bbd80adae258d1ed7347bc504bf54b484a98c183b8fbefba42cb464e0276753d31e252e3412fb324c314a6a559486c360738fbe66e7851b26b95e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES28EF.tmp

Filesize
1KB

MD5
3934a85f52e4602cbe95cdb55218e4c0

SHA1
967ae8048d54b8c03baf8e6e3bc45fdb4534bcd4

SHA256
b72b04348b2d1d31c72a2ac01467b99de997acd21d451ce2d17e4da6016386fa

SHA512
9ce501598ae30bdcf4688a0b62b5150d3e235b66b6d6bfd0be20ec8e2c4971f16878a5f7deae53ba26160e0f2511f8cf869686a1ff82bf4a6edf5c528784ad90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xeno.exe

Filesize
3.5MB

MD5
056586e6a4d9b97c77fd606b2a63f604

SHA1
b13e10949df28f3944c68b950617a641ea20491b

SHA256
4d3b4ef0ec929ebd649637f55aabd856954e3d6424ac337a17ee4bb65ec2e8f3

SHA512
da2c4066a7975ede5c1645d6cd82f0499b452a021d18aa86ad64130efc9f1da2270be30a7af89b4cce97b0eb13c27f55f37c70db5f2f6aa4a2b5a54dcae72cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe

Filesize
3.5MB

MD5
bcf49847a74e554a807294d4f5adfa62

SHA1
c6f105b28ac3bc7dd2e4a444cf96edbcdc45febf

SHA256
eae94b757fe5e150f8f1039140feebc969788bd2c0ef7fe2d4675a81f6dc9898

SHA512
489cf5844853a4ba7489386a545d0369e1eca835a70053aa6e408aed7f42eaa26684859ddf50b874c643c53ae050dcd3d1a27e887e413c8db8636818ba7dcdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nsqtqrhb.4rt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ao2pcUbWlQ.bat

Filesize
212B

MD5
2cd36138f93831d4362813e235f6e4fa

SHA1
50e3a36700416b2ea90760619bd8174212a7fba6

SHA256
b9407edd46073505663d2de496fc9130a76a09a5d493a1bcb05e3d7abf95d2b9

SHA512
06f33be47fd70a0ba913620365766ad84127ec893e65a7b54547b1a40993107ee2b5670b2f3c3e6c424b314077386a69e2663da4e2a1f2f83190d700bdce1bd7

Download Submit
C:\portBrokerDll\2jfojLJgRy.vbe

Filesize
237B

MD5
851d51cdee60a57d4aef51ea7f466436

SHA1
34a13967e69d21091850d4f0dffb2bce88c80e0c

SHA256
5d612089c06bbe2b32de8bfcc3e0ba1e0ef2155cd6cde83b280797c6061ca269

SHA512
7fed60da3ed3ff2a26b8b4cadf0cf6cd3e28259a4a7ec7e3ba97509fa47b7ca75753ca49edf2f218ae323830977c2ecdfb2f05b6fa5de303038c31012926e953

Download Submit
C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat

Filesize
194B

MD5
69c0edf85b6d3ab82c42e82ef04f50f7

SHA1
7acb4d2454d9e04db488c2ee4352cfece1b8ae58

SHA256
3041cc5e5c4251ea1eddccaa5d145446719d6e86dcfd3bc40bc23c80b3102ec2

SHA512
04877f967609e6efb4a8c4f99c4130b3894eb223f390d32c6e2248abaf1bdff71f539f122635f18fa432648b927cc597dd7bdaa52284824f8c57c7909f7dca21

Download Submit
C:\portBrokerDll\DriverbrokerCrtDhcp.exe

Filesize
3.3MB

MD5
c9d8bce0425ed81346b9a43f148d948b

SHA1
d3bcb8f02ef3732ffa70fc798cd4ad3d77bbbde6

SHA256
884de0ba4d113a1674b112f76b7d6af9bb11c562d6b58155e974e549694e0f58

SHA512
60e0d21db0518d66f4546dceb978b15d2eb87347cc1676b7420eb2a6c4c1c6fa947d31ae8cb70ce880b76f931702aaab51c46f559dd91a49c9a4bdc83b75368b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC197EB2C92DBC466EB6BC99E23421FB.TMP

Filesize
1KB

MD5
dc289c30c143fd2f8e608119ae4846a0

SHA1
2f0d6888b80d26d9ff52b5decdd63963255e5113

SHA256
37aac241c050fb90090b36441ae1f198d11a0da4ee5f30e3332673f3c6ecf40a

SHA512
68bffd2b69ee9d5857fc9d5b2a71561a985738b5fe0768fc7dd23a753c976529158042f2a239ffe74ed99b5bd4b469fd2220a990d20a742935f5560a55f2d6fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bxplnx0g\bxplnx0g.0.cs

Filesize
388B

MD5
5e29957ca2eaa7535f79ddeece37635a

SHA1
628d981e02284fb8cd5e6e6298473757b91ec5e0

SHA256
74de96c4e93f6d74311896480817697ab956105dba1c080aa770f61c2277cd28

SHA512
159b55128bd0852afc6457228396e6500a169a7461eb018b999314a75b0cb8f1282fed87dcc35ebc874a176fa3a31582ff0c6b8035c9582e4d88de2159164ed9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bxplnx0g\bxplnx0g.cmdline

Filesize
255B

MD5
dfe67988d82d147d46e5e03c353a271f

SHA1
9d4caa6dcb8c9746ac464d09275c176a59a4954a

SHA256
d736a610a0f5feb37ad3d2c3b651d36b500d7e4ab6429e8b9252e77268bb67d5

SHA512
309b3cb1f092a9cbc73cee5ea9b885f14617afb683b7dc79aab734dc2fbbc49fcab9eb6534d1558ba843123e36efcaf2a9ac180179675991b895a49389372ce9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oxwkedna\oxwkedna.0.cs

Filesize
368B

MD5
2a66f68cc32fea31587ffe2aa1e65797

SHA1
e915692a9ff832766cbcb3d3c4972829735553ef

SHA256
862d8f7eb1646048e27d6c6119a334d9d731575aaf03de96da025e94a9810f80

SHA512
d9c9eb92764531e53a77846b29419c3e4d31cb975c519406fa6782a39b28a7cccdb44fa76a0fd5016ffc7af3ea807e34dd3b925b1bf27bcc5d4609ab97e2c7d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oxwkedna\oxwkedna.cmdline

Filesize
235B

MD5
cdb51eed23c3361d09db3e8e8630b474

SHA1
282102d052925cc80e906f4c8eedb9a14909bf14

SHA256
deece886e9a054275d733f7151fef2460d1c073736787680b24840fc0d543c26

SHA512
95b452ded8f27c6b87fb8b84145389b4bfe74285d3e64ce272542f1903735d0a83c3f148dd6da0ca77fdcfbf3d85d4873c98adfe542fcf8e19910ed37dda6ed5

Download Submit
\??\c:\Windows\System32\CSCDEEC61457B52487D81EB76F8197D1F73.TMP

Filesize
1KB

MD5
5984679060d0fc54eba47cead995f65a

SHA1
f72bbbba060ac80ac6abedc7b8679e8963f63ebf

SHA256
4104fdf5499f0aa7dd161568257acae002620ec385f2ede2072d4f550ecff433

SHA512
bc8aadfabe5dbb4e3ea5e07a5ccbddd363400005675acda3e9cb414dc75fb0ba74f41b4a6baf34d42f85a9ae0af7d2418420c78b0c643f7243fe93a49b8140b5

Download Submit
memory/932-65-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-3613-0x0000000002C20000-0x0000000002C2E000-memory.dmp

Filesize
56KB

Download
memory/932-63-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-87-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-91-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-85-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-81-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-79-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-77-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-75-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-73-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-71-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-83-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-69-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-67-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-61-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-59-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-57-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-105-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-103-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-101-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-99-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-97-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-96-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-93-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-89-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-55-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-53-0x000000001B6D0000-0x000000001BA70000-memory.dmp

Filesize
3.6MB

Download
memory/932-117-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-115-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-113-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-111-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-109-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-107-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-3611-0x000000001B660000-0x000000001B686000-memory.dmp

Filesize
152KB

Download
memory/932-54-0x000000001B6D0000-0x000000001BA69000-memory.dmp

Filesize
3.6MB

Download
memory/932-3615-0x000000001C840000-0x000000001C85C000-memory.dmp

Filesize
112KB

Download
memory/932-3616-0x000000001C8B0000-0x000000001C900000-memory.dmp

Filesize
320KB

Download
memory/932-3618-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/932-3620-0x000000001C860000-0x000000001C878000-memory.dmp

Filesize
96KB

Download
memory/932-3622-0x000000001B690000-0x000000001B6A0000-memory.dmp

Filesize
64KB

Download
memory/932-3624-0x000000001B6A0000-0x000000001B6B0000-memory.dmp

Filesize
64KB

Download
memory/932-3626-0x000000001B6B0000-0x000000001B6BE000-memory.dmp

Filesize
56KB

Download
memory/932-3628-0x000000001BB70000-0x000000001BB7C000-memory.dmp

Filesize
48KB

Download
memory/932-3630-0x000000001C880000-0x000000001C88E000-memory.dmp

Filesize
56KB

Download
memory/932-3632-0x000000001C900000-0x000000001C912000-memory.dmp

Filesize
72KB

Download
memory/932-3634-0x000000001C890000-0x000000001C8A0000-memory.dmp

Filesize
64KB

Download
memory/932-3636-0x000000001C940000-0x000000001C956000-memory.dmp

Filesize
88KB

Download
memory/932-3638-0x000000001C960000-0x000000001C972000-memory.dmp

Filesize
72KB

Download
memory/932-3639-0x000000001CEB0000-0x000000001D3D8000-memory.dmp

Filesize
5.2MB

Download
memory/932-3641-0x000000001C8A0000-0x000000001C8AE000-memory.dmp

Filesize
56KB

Download
memory/932-3643-0x000000001C920000-0x000000001C930000-memory.dmp

Filesize
64KB

Download
memory/932-3645-0x000000001C930000-0x000000001C940000-memory.dmp

Filesize
64KB

Download
memory/932-3647-0x000000001C9E0000-0x000000001CA3A000-memory.dmp

Filesize
360KB

Download
memory/932-3649-0x000000001C980000-0x000000001C98E000-memory.dmp

Filesize
56KB

Download
memory/932-3651-0x000000001C990000-0x000000001C9A0000-memory.dmp

Filesize
64KB

Download
memory/932-3653-0x000000001C9A0000-0x000000001C9AE000-memory.dmp

Filesize
56KB

Download
memory/932-3655-0x000000001CA40000-0x000000001CA58000-memory.dmp

Filesize
96KB

Download
memory/932-3657-0x000000001C9B0000-0x000000001C9BC000-memory.dmp

Filesize
48KB

Download
memory/932-3659-0x000000001CAB0000-0x000000001CAFE000-memory.dmp

Filesize
312KB

Download
memory/932-52-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/1508-17-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/1508-14-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/1508-13-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/1508-12-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/1508-11-0x000002B82CD00000-0x000002B82CD22000-memory.dmp

Filesize
136KB

Download
memory/4884-19-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/4884-0-0x00007FFA1ADC3000-0x00007FFA1ADC5000-memory.dmp

Filesize
8KB

Download
memory/4884-1-0x00000000008F0000-0x0000000000C72000-memory.dmp

Filesize
3.5MB

Download
memory/4884-39-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download