Overview

overview

10

Static

static

10

faa40b4bcb...1a.exe

windows7-x64

10

faa40b4bcb...1a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2025 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    faa40b4bcb1f0e493c693399173b381eda22db9ca1c3436d8167b5fdb0deaf1a.exe

  • Size

    1.7MB

  • MD5

    8d57c2893df62748ad2a6023840a5ac2

  • SHA1

    2d7f94e19ce1f9f531c149370ed416ba7fea2ee0

  • SHA256

    faa40b4bcb1f0e493c693399173b381eda22db9ca1c3436d8167b5fdb0deaf1a

  • SHA512

    68d7a6358ca50cbdd398fc04e53162ed6e16731ff28fcdb025947424d7232bc20136c2fe4725e82360a882ba279b75af90340d00928902a8d6f24bdf4ccd6390

  • SSDEEP

    24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\faa40b4bcb1f0e493c693399173b381eda22db9ca1c3436d8167b5fdb0deaf1a.exe
    "C:\Users\Admin\AppData\Local\Temp\faa40b4bcb1f0e493c693399173b381eda22db9ca1c3436d8167b5fdb0deaf1a.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3820
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1420
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3528
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NPCLYSWDin.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3828
        • C:\Users\Default\csrss.exe
          "C:\Users\Default\csrss.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3744
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1dfe016-0afc-4766-88f1-41763dbe6795.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:960
            • C:\Users\Default\csrss.exe
              C:\Users\Default\csrss.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3376
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c666eeb-d33d-4b64-9372-75d491a5d471.vbs"
            4⤵
              PID:2160
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:348
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\upfc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1716
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1700
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2780
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5116
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3488
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2176
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4852
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2700
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2752
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Music\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:432
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3868
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:960
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1032
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\USOShared\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3284
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\USOShared\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:608
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4628
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4192
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3176
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2768
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3320
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5012
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2404
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2060
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1184
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2424
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4296

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe
        Filesize

        1.7MB

        MD5

        9f3a7928c88f91367b81fffd4082476e

        SHA1

        0255e8668af65e04e89f3ae77573be0b011cb3ca

        SHA256

        f34d8b5b382f60be1e86c308caf5ffc36d12b31fc3c9bca87451fdf91e92d3e6

        SHA512

        17cdb404b6f47b26fb14b9d5f9fa50daac0bb4f6c2f05fd21cdf224970467c061ba83bc5601ff42895bf7232bf5241686f130ec02bb0a777ae25cd176c90bae3

        Download Submit

      • C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe
        Filesize

        1.7MB

        MD5

        ef260b2deb827c36a25965607d2371e4

        SHA1

        85341a22b3e946973cc8760fcf5ae5dbf98cb96d

        SHA256

        606cf2bbcbc03864f97319196d595d1fa123616202885ead5ccfd026fec91997

        SHA512

        011cb2a22b33661c879eea1780d35bcdda464299546c40085d0c8903f99d204665140a659f1ceb0a75dbfc612d8755e939edbf22ae5aa54e17fb2659cd7ad626

        Download Submit

      • C:\Recovery\WindowsRE\SearchApp.exe
        Filesize

        1.7MB

        MD5

        6144d5726300d0020b7fbcba3fa18b8d

        SHA1

        68a42ac7018a465781fb1c12ef0350943119d2b6

        SHA256

        7228de9d5dc85b78adb4483c2147f7915419727b62902e8a72833650b1e15704

        SHA512

        8aaf7197db01ae6dcea7291e26d0b62ae035dcce0fe1324a80f75ca511882a28f797b77300c30c9ca18fe07cfe17881ee38f83a805af0ed251f52ce111c6e092

        Download Submit

      • C:\Recovery\WindowsRE\SppExtComObj.exe
        Filesize

        1.7MB

        MD5

        3ca85cb7d8f2a2ca557df15be25f9e78

        SHA1

        0a3f9b2b5676d99c563fb862ee441d029394f021

        SHA256

        ee14670c3833855e31bd2f0fbae7455a805d2f3671a1e1bc4e1b00528c962672

        SHA512

        0160394843ee3182e97a2cb9423b49fbe392a64c506e5a8ed61f4351a6aeb7726aee503e62fbbac892e737334f968fbbb7ab49855463303567238efeb4103289

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log
        Filesize

        1KB

        MD5

        3ad9a5252966a3ab5b1b3222424717be

        SHA1

        5397522c86c74ddbfb2585b9613c794f4b4c3410

        SHA256

        27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

        SHA512

        b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        cadef9abd087803c630df65264a6c81c

        SHA1

        babbf3636c347c8727c35f3eef2ee643dbcc4bd2

        SHA256

        cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

        SHA512

        7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        bd5940f08d0be56e65e5f2aaf47c538e

        SHA1

        d7e31b87866e5e383ab5499da64aba50f03e8443

        SHA256

        2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

        SHA512

        c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        2e907f77659a6601fcc408274894da2e

        SHA1

        9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

        SHA256

        385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

        SHA512

        34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e243a38635ff9a06c87c2a61a2200656

        SHA1

        ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

        SHA256

        af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

        SHA512

        4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        59d97011e091004eaffb9816aa0b9abd

        SHA1

        1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

        SHA256

        18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

        SHA512

        d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3a6bad9528f8e23fb5c77fbd81fa28e8

        SHA1

        f127317c3bc6407f536c0f0600dcbcf1aabfba36

        SHA256

        986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

        SHA512

        846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\0c666eeb-d33d-4b64-9372-75d491a5d471.vbs
        Filesize

        478B

        MD5

        2049e4742b31e2e14e54178d4c41c4cc

        SHA1

        fb8c39443851ab9fc8ff31de1a00cda1fbb15ffa

        SHA256

        94b425a69d5d5b9349566fd7db3e3e20f7ec2b7cb23808e6e9ca34187bafbbaa

        SHA512

        532ad648fe34f95c152fe05249c77b434fa86fbdf3af325ded70919f90d39823aab75d18f2feb6189cfc0f5145f832dafa58cc32a76c51c492f0b74acfcea828

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\NPCLYSWDin.bat
        Filesize

        191B

        MD5

        9d6d26ee04e45d5a7173ee3387bb702a

        SHA1

        6f4bd4977f826bc90a13ccf5e78c6ddc3360c99b

        SHA256

        811f34776a9744bee4e9b9f6011400b9c3fcae758d3d3fca1927573dc1a3374b

        SHA512

        5d2d02ee5132d7b5239965ccd6d6d05a36ce7fd8d6cb51a549133fb300b36a214cf54f18859b840224c322a492f80dce37f4ad0424623e81096016dc41ca8644

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mud24x2s.ngv.psm1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\a1dfe016-0afc-4766-88f1-41763dbe6795.vbs
        Filesize

        702B

        MD5

        bbda846560bde1135942876027d8af28

        SHA1

        276e3e12dd5306446c0382d3e98481b1535fce4f

        SHA256

        84e44644c218ea747cb31b4737b32fc830ce4d433db4ebfa6eec023110891d88

        SHA512

        602ac153da8aa1e418d437ff1c9053387bd8e6294ebf5753fa781e87a4c48b03e80bd12c2ea5cb839aa9e67ef8fbb552f7f5449d9563103aa6c91e053f7ef881

        Download Submit

      • C:\Users\Default\csrss.exe
        Filesize

        1.7MB

        MD5

        7f14db33001f5104f2b95d06965f429f

        SHA1

        2998f451d7568e304d8af2ece2b111f6b734bb4f

        SHA256

        2c3cafec71bf8d3c8cae4b65ed7e8088ed3ac447ee835d27fa98759d0198abc4

        SHA512

        beeca16d6953a20fbfaf209cc26ae6398ac8447961f74fc84b6bc29a26afdb5734f616059122fd86faaccc1663c5506439cba926c7026bc385947e8b8d6a5d31

        Download Submit

      • C:\Users\Public\Music\wininit.exe
        Filesize

        1.7MB

        MD5

        8d57c2893df62748ad2a6023840a5ac2

        SHA1

        2d7f94e19ce1f9f531c149370ed416ba7fea2ee0

        SHA256

        faa40b4bcb1f0e493c693399173b381eda22db9ca1c3436d8167b5fdb0deaf1a

        SHA512

        68d7a6358ca50cbdd398fc04e53162ed6e16731ff28fcdb025947424d7232bc20136c2fe4725e82360a882ba279b75af90340d00928902a8d6f24bdf4ccd6390

        Download Submit

      • C:\Users\Public\Music\wininit.exe
        Filesize

        1.7MB

        MD5

        816dccde51a6de3181e8fbb5a4d7b48a

        SHA1

        6e1f62a8db5bd2cb58ac656bcbfc2004649698fd

        SHA256

        e86957b445d96e74212db55f66e803b3e9668b62c57e340be0ac690f70e97975

        SHA512

        a44f8da5765263008ce18f5a7e89d69f41402233af8434570bcce50e59bc632b3e061a5f61663cfd0ef77aefdb119de847e34fae0fe8f1b50296dd2d735b2450

        Download Submit

      • memory/3640-187-0x000002305ADA0000-0x000002305ADC2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3744-296-0x0000000000A60000-0x0000000000C16000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/3744-297-0x000000001D340000-0x000000001D352000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4432-4-0x000000001B880000-0x000000001B8D0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4432-0-0x00007FF9D97A3000-0x00007FF9D97A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4432-6-0x000000001B840000-0x000000001B850000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4432-7-0x000000001B850000-0x000000001B866000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4432-149-0x00007FF9D97A3000-0x00007FF9D97A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4432-3-0x0000000002680000-0x000000000269C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4432-163-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4432-22-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4432-17-0x000000001BC60000-0x000000001BC6C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4432-189-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4432-18-0x000000001BC10000-0x000000001BC1C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4432-8-0x000000001B870000-0x000000001B882000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4432-2-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4432-19-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4432-15-0x000000001BC20000-0x000000001BC2A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4432-16-0x000000001BC30000-0x000000001BC38000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4432-14-0x000000001BC80000-0x000000001BC8C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4432-13-0x000000001BA00000-0x000000001BA0C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4432-11-0x000000001B9E0000-0x000000001B9E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4432-10-0x000000001B9D0000-0x000000001B9DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4432-9-0x000000001B9F0000-0x000000001BA00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4432-5-0x000000001B830000-0x000000001B838000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4432-1-0x0000000000440000-0x00000000005F6000-memory.dmp

        Filesize

        1.7MB

        Download