dcrat | d7108405eebedbd1d610c13bd7dae066a7ca5497f7e1c8c977a92b8401083709

Analysis

max time kernel
1s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a9ffe006a29261c5f168fdf0fe26434.exe
Size

1.6MB
MD5

2a9ffe006a29261c5f168fdf0fe26434
SHA1

f445b266e10c6aa8862836249b7191e6844daea7
SHA256

44e8546f8e588d48b8cff32d70abcef37d3e3612cc84097832eda999bf621b95
SHA512

03cf6be019011547574ef760b8a2cc16396c43f4b392a93fd52004bbb2df712751d085f081c4c55926756fe6b2186a801d6d2557080c675281966881fba8cc63
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1824	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	1824	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1824	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1824	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1824	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1824	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	1824	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1824	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	1824	schtasks.exe	87

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral6/memory/3644-1-0x0000000000440000-0x00000000005E2000-memory.dmp	dcrat
behavioral6/files/0x0008000000024154-28.dat	dcrat
behavioral6/files/0x000c000000024075-60.dat	dcrat
behavioral6/files/0x000f000000024155-157.dat	dcrat
behavioral6/files/0x000700000002414b-274.dat	dcrat
behavioral6/files/0x000f000000024155-278.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3860	powershell.exe
4224	powershell.exe
4228	powershell.exe
2596	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\DiagTrack\Scenarios\SearchApp.exe	2a9ffe006a29261c5f168fdf0fe26434.exe
File opened for modification	C:\Windows\DiagTrack\Scenarios\SearchApp.exe	2a9ffe006a29261c5f168fdf0fe26434.exe
File created	C:\Windows\DiagTrack\Scenarios\38384e6a620884	2a9ffe006a29261c5f168fdf0fe26434.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
972	schtasks.exe
556	schtasks.exe
4032	schtasks.exe
2724	schtasks.exe
4716	schtasks.exe
1648	schtasks.exe
2584	schtasks.exe
924	schtasks.exe
1116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3644	2a9ffe006a29261c5f168fdf0fe26434.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	2a9ffe006a29261c5f168fdf0fe26434.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2a9ffe006a29261c5f168fdf0fe26434.exe
"C:\Users\Admin\AppData\Local\Temp\2a9ffe006a29261c5f168fdf0fe26434.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2a9ffe006a29261c5f168fdf0fe26434.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4dB2r8yAb.bat"
  2⤵
  PID:620
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2288
- - C:\Recovery\WindowsRE\wininit.exe
    "C:\Recovery\WindowsRE\wininit.exe"
    3⤵
    PID:548
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f66630f2-6c9c-4631-9e1c-1412427444ee.vbs"
      4⤵
      PID:468
    - - C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        5⤵
        
        PID:3620
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\873c7189-548d-4974-b83a-91d03defc608.vbs"
        6⤵
        
        PID:4860
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        7⤵
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d6885f8-cef2-45b6-b6fa-c0b18f0b2ebe.vbs"
        8⤵
        
        PID:1948
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        9⤵
        
        PID:984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ff3d4ec-dc13-4846-8299-5b3988543c6c.vbs"
        10⤵
        
        PID:4212
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        11⤵
        
        PID:3500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3f8194b-e23f-4248-96cc-2eca8c18787a.vbs"
        12⤵
        
        PID:640
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        13⤵
        
        PID:2080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d242c04-024e-466c-a75f-9bd38f3b8e74.vbs"
        14⤵
        
        PID:1464
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        15⤵
        
        PID:4532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f037f62e-1b18-4d8b-91d1-9c44e1d534ae.vbs"
        16⤵
        
        PID:2380
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        17⤵
        
        PID:3552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34396c55-e854-4141-add9-e8355ee94ad4.vbs"
        18⤵
        
        PID:428
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        19⤵
        
        PID:3716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\add9a5de-ac1c-48a0-9c32-482604592807.vbs"
        20⤵
        
        PID:756
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        21⤵
        
        PID:3296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\975df941-6722-4590-9df1-9780bc0986e3.vbs"
        22⤵
        
        PID:3920
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        23⤵
        
        PID:228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\229e1a27-142e-4df6-b2ea-9aa3b912f425.vbs"
        24⤵
        
        PID:1100
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        25⤵
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d90429eb-88d3-4974-9733-36d61eefee75.vbs"
        26⤵
        
        PID:3160
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        27⤵
        
        PID:1436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f29f51cd-b9e7-4b41-b95e-72d536072c5e.vbs"
        28⤵
        
        PID:3716
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        29⤵
        
        PID:3644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6b21459-70aa-4195-87e6-adcd6b641c04.vbs"
        30⤵
        
        PID:4824
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        31⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\171ad0ce-701d-4e1d-8f02-34ebac789fb6.vbs"
        32⤵
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\678a3144-fe80-4203-86f4-9f1d09d47532.vbs"
        32⤵
        
        PID:3492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2949c790-f6c3-4893-87ab-fda999c70c3e.vbs"
        30⤵
        
        PID:3228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8733e716-85fd-4431-9a34-d6be4929e4a7.vbs"
        28⤵
        
        PID:3220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d97faa58-d78e-49b1-b46d-c5c7bc0b4b50.vbs"
        26⤵
        
        PID:3140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef289ef3-e311-4710-8d64-dcfd3f19eefb.vbs"
        24⤵
        
        PID:4072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2460c6ad-3ed1-41e1-a763-3cba6790501d.vbs"
        22⤵
        
        PID:1180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cad51b5a-167b-4ac6-90b1-b1c34a901c9a.vbs"
        20⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e31e2bf-f114-43c2-95ac-02eaa47ccc77.vbs"
        18⤵
        
        PID:4828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46a86eaf-77f5-4393-a103-212541e66127.vbs"
        16⤵
        
        PID:2832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63eff310-9724-48a5-9088-f5ad9d3bb8d3.vbs"
        14⤵
        
        PID:4572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaeb1971-8972-4750-a6af-08767eab1239.vbs"
        12⤵
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28fb8839-4756-4681-a26d-ec18598dd450.vbs"
        10⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a00c346c-3262-4de2-881e-9755a6ed83a5.vbs"
        8⤵
        
        PID:4456
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61316063-ca07-4973-b4fd-7393f4051328.vbs"
        6⤵
        
        PID:1920
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a133f0d1-527f-4fab-ab02-0d2b122582bb.vbs"
      4⤵
      PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\DiagTrack\Scenarios\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\Scenarios\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\wininit.exe

Filesize
1.1MB

MD5
d0dfe272fcf2bad773960e439d09329b

SHA1
ae8ab87608cae4bd0fd211a9c98ac5f8c2e0ed59

SHA256
1fd813539587af6546449dfaafbe83724f43f4d00d45483fc6744c4c0c2be7c4

SHA512
110b961c9b814b4f4275d8d7c8a20ee26d68f6d8ca1c933f2be2e61ef503595ed61104bd9f0bec1fc89b6f627691ec996559485e66572bdf78c8ed7d4ef89c0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
efa4168b73a5e8ae56d49bcac4d67861

SHA1
b3fe6b2d9fc05ad7892a2c8b96914764336b3067

SHA256
7aab157fba3a543647a38cc8729ffb962a58cc2093d94566c9e68ff73d134dca

SHA512
a1f305eac9c73c951f22e76f3904c1c6bb518b12d8a74bbea544c845f3d592e7915ec47d6531a3a4e669f6ab12311f3a632ff47a68f36370111d1c82cf8b6e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
87d9fe9e5ee685ff2b66e5396fcdcb99

SHA1
0ac74edba86591b97d1a7531c3d2e659f0843b7f

SHA256
f84df996802a7b65b0a58ecd1960f157bdc82f817bae81409eb4184e438ed9b8

SHA512
ce602ffb6822849af961afc13b972d0d344bbfaa50c5fe372cf475f424a9227f788ea64a1dfa9b96d8e01cfa2b7f0f9e695ea001ea37a6c7c235c86931d1cf3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d242c04-024e-466c-a75f-9bd38f3b8e74.vbs

Filesize
709B

MD5
5c68c303992f96e2b4ecf15183a421f3

SHA1
bc5bf8def6a54cfece023e3dc811567799a462f8

SHA256
f1baea57ebfbd900909a9463ed3558975b4f144a250da67e8dc99d03f94d0b1c

SHA512
15885d76cc73dbcf4939e1a4a0bd09b472f1045038cb514607d7b0c386a0f646a622fd6667ed3f454dc4545d4fa924d3601b72505c705a14552d85625166ccfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d6885f8-cef2-45b6-b6fa-c0b18f0b2ebe.vbs

Filesize
709B

MD5
00ac623a20021c6c3389c97e1d2b7c0f

SHA1
b2d802ccea1bf61029b21fcab00457b3485d74ec

SHA256
84eb97563a29e9b8e2a6234e6902ed29860bb159914f9e7b35df7a463e9bef6c

SHA512
88adb9a1ce28a4059046ede5e27dfc34c86f92b84c0ec323247ebfb0a11e8e4953038a2d78231f1bef05ccb4250564bf6ddae150c82d30f1806c4b6a83f84e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\229e1a27-142e-4df6-b2ea-9aa3b912f425.vbs

Filesize
708B

MD5
db759652a0186a6cd48cb8cf5580a3d6

SHA1
2b86fb4c589083ce66098dfe0ea147168e7b08ec

SHA256
6c71bdcaa654454b1df87ce925762f5084b3917ec284b8621c78117bb23acc12

SHA512
c0d02809f124e9a51d98df01570f799ee47ac26eeaf1bca227997e170321b2472a5e3a00acba67bfc44118ef8ac7e473cdeab1f4ed735564b82c69e4764be65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\244bc7b163925fc3b62cb93c765d5f9abe0dc732.exe

Filesize
1.6MB

MD5
0772fb5a8b731b88bdd62d129823793f

SHA1
2fb36881c4326a6e494d260a13e563bf2616c44f

SHA256
f34ba15121f3b81cada2d516fc8028e8d5ae49381ee38d2f8c12e02348faf23e

SHA512
a407ea5d38819399e15e1709bd22c28a8ffbd1c7687e65c2926d0b1616514572a073128173387a6ada3d78f497d72280276da48120c42a56c2af3937e5c1ac7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\244bc7b163925fc3b62cb93c765d5f9abe0dc732.exe

Filesize
881KB

MD5
aa5e7f52272ee9b12d9baafb998fd1f2

SHA1
321e12dcca8264832b71ed201a727125dfecf5e6

SHA256
67291e91098521d8905ac78825944e23bae2d078ba665c70efb3a9dc81be0419

SHA512
9d192c3258b1b1671477b528e5404b0a5f98bc8c1daea297f8d69a24f26a5e94d2d218379850c4cd3a5bf42522baa81e083317773f4512547cf4d7e9f3d3f712

Download Submit
C:\Users\Admin\AppData\Local\Temp\34396c55-e854-4141-add9-e8355ee94ad4.vbs

Filesize
709B

MD5
a79037247f8d3de52b57afb6a17bdbaa

SHA1
fc1235984addb3cc00c84c78162f39b7f2aef89f

SHA256
4860e00f68b4e1da68e41e185ea5555aa205f5fd65e3430f09c5c6051a669aeb

SHA512
bf3eac5db286aa02019b73cdfea9a2ebb4191f68aec94432a243ccf6f42372366662e408e717e408dca8bfaa482c529f666af188623d747d8900201a410c799e

Download Submit
C:\Users\Admin\AppData\Local\Temp\873c7189-548d-4974-b83a-91d03defc608.vbs

Filesize
709B

MD5
a7ea692e8698418138ec7dadd8375ada

SHA1
747425392b8e0c5cdfd834e7d00735ec0dc2ff94

SHA256
df6b62cc020a8b8e5f13b6ac04f65c0118e3497130a21a58482c5f27c40cd3bc

SHA512
3ce1a279d3879bfc1739a0c43883f3fb8d37b8afabe266a7e4210f28c8e38c8f412bcbeff8278c7ba074d92c6a082c3cc4babbdfcc7de836e5c7cc511c101cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\975df941-6722-4590-9df1-9780bc0986e3.vbs

Filesize
709B

MD5
b0cf3fc1fcc6dcba1c7d4e1dbbcfe7b4

SHA1
bf0f3511368343d559ad2543b069044af09a6cb7

SHA256
4e7b6ddb2f5c55b43e5a1a0177895d697478170d28bb181495ceb7c2e6e8eeaa

SHA512
866ea491a532dc5b607323024ae98f2d68c3514e46fc629ff244f71571adeb6a9d7e0ae83f995c3df0f5517806606befc9c1531f719c4155e77c7c2d8c0ab97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ff3d4ec-dc13-4846-8299-5b3988543c6c.vbs

Filesize
708B

MD5
51e429cd7dfb2502db8a57b30cc287df

SHA1
418af27e93931a12a39f6cc12c937d9bba5ff6f5

SHA256
6e64830d37f2026ae3bafc28ca5f69774ca826580fc27b0be820252c98623020

SHA512
a3158ee2f5e59d9661474f5feb3c18401a429ff0bbc28e18eaa0e412af178c864c0ff64e36fcb7743b407e34ca1ccff697be8420f86ade4e67b0bba334ec232e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXC286.tmp

Filesize
1.6MB

MD5
2a9ffe006a29261c5f168fdf0fe26434

SHA1
f445b266e10c6aa8862836249b7191e6844daea7

SHA256
44e8546f8e588d48b8cff32d70abcef37d3e3612cc84097832eda999bf621b95

SHA512
03cf6be019011547574ef760b8a2cc16396c43f4b392a93fd52004bbb2df712751d085f081c4c55926756fe6b2186a801d6d2557080c675281966881fba8cc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5kif4fd4.3y4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a133f0d1-527f-4fab-ab02-0d2b122582bb.vbs

Filesize
485B

MD5
beb5fe14e4d9060b01162404c4670510

SHA1
c34361280ae575e5c8658cb33916262bb7e31ddf

SHA256
3ea0e15aedf8b10f10c13723d8919eca8843990be7358010e6fcd656c950ecf6

SHA512
87d0e080733ee356ca2b72f128d78c1780b8ee9fe676e1379c353334ad21f2c7e329f1e7993dc6952855db9c6e83ab5cb58bd609180fa35267c5e048e0e7943a

Download Submit
C:\Users\Admin\AppData\Local\Temp\add9a5de-ac1c-48a0-9c32-482604592807.vbs

Filesize
709B

MD5
1052417bf3d0495ba0e9a719eecb1315

SHA1
ab92436e44810f357e43ae048b6bdd4cbec38249

SHA256
3d74ef3dd97cfd8f446360da9434812120adeba47b7a0f29b9d1a31b4c590164

SHA512
db5b3447264c84cdb020cee9af78bc1871b1d04a61dafe22d97acba904c3559251dab3023eba7e708acfa3901ca1096efd32aede08e8f9bb0764e20788429232

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6b21459-70aa-4195-87e6-adcd6b641c04.vbs

Filesize
709B

MD5
1e412039081132c73c75b49b9f32f191

SHA1
1fd369edd922c78c03359f35c5ef8dee04e72e8e

SHA256
cfbe5a1dc44200fc9c79ef3fe9f9d85f64b3571e655d03749713e811c902ffb1

SHA512
3313f0b3706e5d31a896d5834d5e3a5d12e324cb03f693b95b09cd04469c01c5b6b9484a76de2ee78be5f265731649cbfa062b5754062ae85dbcefbded0c565a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d90429eb-88d3-4974-9733-36d61eefee75.vbs

Filesize
709B

MD5
8962b13d97314793cf248caf81b7338e

SHA1
0ec95534a043c92b4d07bd783fc4f8223fa4b4a6

SHA256
3a4edab79775e4db09b7323c454827b35c7a303615813cf7c80407754cb0f247

SHA512
bd511d86a7731a5b03aa009eb2454e02c313b7e477a6d8504d5d9466dd27ecfe61843f35dd18a5be6918c55e8c53fd47596dc1fdd646654c77c8e07ee6bc502a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f037f62e-1b18-4d8b-91d1-9c44e1d534ae.vbs

Filesize
709B

MD5
691244a9e7233a8514208f660ae11b95

SHA1
9ddbcd05459294bba31633f81f9893f6d4bbdd51

SHA256
5a3f0bf17cc08b30e80267462029e93bcd6377fd33f559722be777c4766ab831

SHA512
6cea0ec46d56961a52232ec67483d83f00dcd39de0f0a7a74f49a1fd5291bbeeb68d3c62a36a7e13c052be65d08d948412228e90cc375a9e276bd0fea23afc88

Download Submit
C:\Users\Admin\AppData\Local\Temp\f29f51cd-b9e7-4b41-b95e-72d536072c5e.vbs

Filesize
709B

MD5
2ee059d058c2af3e48a155ba4f834b8e

SHA1
3007e30ed5a4745bdfdd340f52ed1f1d2fa03b16

SHA256
1f7b390088b653c05464e053432629f5e1dada4f5a2a586b54bf5ca440f1827e

SHA512
b75842eb5a0317e93441777fc300b7b021d5f56548babb857ee4227979a8857e65df390fe605c9be737e61fda0bb7dc961192ae386d022c21dbccabf2720f42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3f8194b-e23f-4248-96cc-2eca8c18787a.vbs

Filesize
709B

MD5
2e985bd4477235bda98fe0fb0c44f541

SHA1
9534ee7114d3bb0d7719264daba48707e239d43d

SHA256
b7b7957ac8a7706517f501aecb5cb48187f6c23a52a726dc047bda1a1e72e060

SHA512
50511c7e9142acf19eac0391a4b348ea51955cc43ee3133aa34d25e831d34e4b8c5eaab6f4b0369580dcb92d17008ded36d96d1123510061bee011024cf95503

Download Submit
C:\Users\Admin\AppData\Local\Temp\f66630f2-6c9c-4631-9e1c-1412427444ee.vbs

Filesize
708B

MD5
04a14b9fe671dfc2d222f992915a206e

SHA1
fdf0572ba5ae0a2ea88fec291fa67a10e7daf987

SHA256
6be561744385c03bc8fe08f8e3f6ba30ebf5d12c7723fd2244649a54a599b4f6

SHA512
1d35acb96313b354f7bd0f66491d8dfd41339e8a32542b4f7c3d04cc2edc9872f4ebb9c39e9a5637483c545fd4bb9de5acaadc9bb9e62be4bf5cba36f4ebc09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4dB2r8yAb.bat

Filesize
198B

MD5
1511e46c494a8eed2c6b94bccfa8ce9d

SHA1
bb7ad6e438fc0f06d08cd385419415968c683090

SHA256
55fd8e49a5fbc412b0c8b82fdb125e84ba1b7c9c6a2116d3c41e72c1671d7ed0

SHA512
c428220f549cac3886050c1cac13aa76ad0b0c368c975dade8caa107647e7356d8e6fe33b969702bd583bbb26a3aa4659a10997b7ce3f540f8ea8d2276daf1cf

Download Submit
C:\dfe2e59cddd00040f555dab607351a1d\StartMenuExperienceHost.exe

Filesize
1.6MB

MD5
70f43315b4b135d124b4f3a875aa6c7d

SHA1
56660fa80fbe087200a7f371f100800386073323

SHA256
9546acca4ab4796ca3fa5c747f14eeda1897c3f5554d204e326a0cea5127b967

SHA512
5c10f1934f1dc575ed506ff273249ddd0fc06326c95057eecccea6f25e988c6bf94b03a3bb8862c217c2f59c8d4aa184e34b175a1f5ce34a61b8c96057058444

Download Submit
memory/3644-12-0x000000001B340000-0x000000001B34A000-memory.dmp

Filesize
40KB

Download
memory/3644-0-0x00007FFF4D873000-0x00007FFF4D875000-memory.dmp

Filesize
8KB

Download
memory/3644-78-0x00007FFF4D870000-0x00007FFF4E331000-memory.dmp

Filesize
10.8MB

Download
memory/3644-3-0x00000000026A0000-0x00000000026BC000-memory.dmp

Filesize
112KB

Download
memory/3644-4-0x000000001B280000-0x000000001B2D0000-memory.dmp

Filesize
320KB

Download
memory/3644-6-0x00000000026E0000-0x00000000026F6000-memory.dmp

Filesize
88KB

Download
memory/3644-7-0x0000000002750000-0x0000000002758000-memory.dmp

Filesize
32KB

Download
memory/3644-8-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/3644-9-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/3644-1-0x0000000000440000-0x00000000005E2000-memory.dmp

Filesize
1.6MB

Download
memory/3644-13-0x000000001B350000-0x000000001B35E000-memory.dmp

Filesize
56KB

Download
memory/3644-16-0x000000001BBD0000-0x000000001BBDA000-memory.dmp

Filesize
40KB

Download
memory/3644-14-0x000000001BAB0000-0x000000001BAB8000-memory.dmp

Filesize
32KB

Download
memory/3644-15-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

Filesize
32KB

Download
memory/3644-17-0x000000001BAD0000-0x000000001BADC000-memory.dmp

Filesize
48KB

Download
memory/3644-11-0x0000000002790000-0x000000000279C000-memory.dmp

Filesize
48KB

Download
memory/3644-10-0x0000000002770000-0x000000000277C000-memory.dmp

Filesize
48KB

Download
memory/3644-5-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3644-2-0x00007FFF4D870000-0x00007FFF4E331000-memory.dmp

Filesize
10.8MB

Download
memory/3860-84-0x000001E5B2060000-0x000001E5B2082000-memory.dmp

Filesize
136KB

Download