Overview

overview

10

Static

static

10

9e0a427b0b...e7.exe

windows7-x64

10

9e0a427b0b...e7.exe

windows10-2004-x64

10

9e25b8a175...7c.exe

windows7-x64

10

9e25b8a175...7c.exe

windows10-2004-x64

10

9e55090245...e4.exe

windows7-x64

10

9e55090245...e4.exe

windows10-2004-x64

10

9e5b7ffaab...05.exe

windows7-x64

10

9e5b7ffaab...05.exe

windows10-2004-x64

10

9e74a20e4e...38.exe

windows7-x64

10

9e74a20e4e...38.exe

windows10-2004-x64

10

9e8b382868...39.exe

windows7-x64

10

9e8b382868...39.exe

windows10-2004-x64

10

9e9642daec...94.exe

windows7-x64

10

9e9642daec...94.exe

windows10-2004-x64

10

9ef950b123...99.exe

windows7-x64

3

9ef950b123...99.exe

windows10-2004-x64

9f17d0e9bc...f7.exe

windows7-x64

6

9f17d0e9bc...f7.exe

windows10-2004-x64

6

9f1ccfcf5e...7d.exe

windows7-x64

1

9f1ccfcf5e...7d.exe

windows10-2004-x64

9f2ebb9c98...4f.exe

windows7-x64

10

9f2ebb9c98...4f.exe

windows10-2004-x64

10

9f461fa033...0b.exe

windows7-x64

10

9f461fa033...0b.exe

windows10-2004-x64

10

9f6a6c8041...f9.exe

windows7-x64

7

9f6a6c8041...f9.exe

windows10-2004-x64

7

9fc6b7a531...e4.exe

windows7-x64

10

9fc6b7a531...e4.exe

windows10-2004-x64

10

9fef837bde...4e.exe

windows7-x64

10

9fef837bde...4e.exe

windows10-2004-x64

10

9ff5970462...e0.exe

windows7-x64

10

9ff5970462...e0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fef837bdea2dc9e761d7e177419aa4e.exe

  • Size

    1.1MB

  • MD5

    9fef837bdea2dc9e761d7e177419aa4e

  • SHA1

    528d8bfbcd30c1bb1a4d18798d6c1721607a8854

  • SHA256

    d5f6ca5a453ca37f5b13c6babe8a28e400411adb2b49f348340ec30b8a342d2d

  • SHA512

    73da2bde88483ea1c50b83b15012250e50f0e26cd5e7b6646249fc576041bdc9b002033775bab919f99e42b02effa98978302dc69a4baa6a3a21c2a27b1762bb

  • SSDEEP

    12288:p49I/nL8TnKZPVHR3E/bS2vkRNJLXseJQdErvNKj6SKm+eAIhu181d6rsPH:pngTKZ5RU/xG7zsEyEve6SZ+dIe8usv

Score
10/10
dcratdefense_evasionexecutioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 16 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    defense_evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    defense_evasiontrojan
  • Drops file in System32 directory 38 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • System policy modification 1 TTPs 9 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\9fef837bdea2dc9e761d7e177419aa4e.exe
    "C:\Users\Admin\AppData\Local\Temp\9fef837bdea2dc9e761d7e177419aa4e.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9fef837bdea2dc9e761d7e177419aa4e.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.System.Launcher\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3332
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\docprop\fontdrvhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\AssignedAccessManager\sihost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\DMRServer\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4576_864690144\unsecapp.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4416
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\RuntimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:6120
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bkfkZqrQV.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:5776
        • C:\Users\Admin\AppData\Local\Temp\9fef837bdea2dc9e761d7e177419aa4e.exe
          "C:\Users\Admin\AppData\Local\Temp\9fef837bdea2dc9e761d7e177419aa4e.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9fef837bdea2dc9e761d7e177419aa4e.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4900
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mfc42\lsass.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mpr\WaaSMedicAgent.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4928
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\csrss.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5080
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\powercfg\SppExtComObj.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:6044
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5084
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\sdengin2\RuntimeBroker.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1140
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\embeddedmodesvcapi\SppExtComObj.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5128
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\WdacWmiProv\WmiPrvSE.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1392
          • C:\Windows\System32\sdengin2\RuntimeBroker.exe
            "C:\Windows\System32\sdengin2\RuntimeBroker.exe"
            4⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of AdjustPrivilegeToken
            • System policy modification
            PID:4656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\Windows.System.Launcher\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1364
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\docprop\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\AssignedAccessManager\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4828
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\DMRServer\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4576_864690144\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4788
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\mfc42\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\System32\mpr\WaaSMedicAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\powercfg\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\sdengin2\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\embeddedmodesvcapi\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4640
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WdacWmiProv\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4796

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9fef837bdea2dc9e761d7e177419aa4e.exe.log
      Filesize

      1KB

      MD5

      7f3c0ae41f0d9ae10a8985a2c327b8fb

      SHA1

      d58622bf6b5071beacf3b35bb505bde2000983e3

      SHA256

      519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

      SHA512

      8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f3d606f9a5f1201bfc1f01c54e842c4

      SHA1

      f1917e50b557b135953ecbe63e1fc1e675b541f1

      SHA256

      dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a

      SHA512

      d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      daa089218fdc061e9ac7982ae6f8d334

      SHA1

      02628c148f3d35f8e5e61060a2aa2c8757167238

      SHA256

      cdd7a4ffec6acd211d98541acf1d4d5ef2852fa4d73b4182392f04f1c6d165ec

      SHA512

      f59ae59d0b8906b1e9685501d2d2981b0dbb1e104e38353a26559ad1fce76f55d184bc14d56596f0e25c4e21a39fcdf66fd0d7472d3e301f1743715dd684e14d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      672e8b21617ca3b368c6c154913fcfff

      SHA1

      cb3dab8c008b5fba2af958ce2c416c01baa6a98b

      SHA256

      b6ce484f4dcfab37c7fac91278a1d66c8b122865f12511634b8c5eac3fc081ec

      SHA512

      98b45d5545237042c9d4e99e6aa2d514bb643c80cccd1f79ca8e6412a7949fc235f2f6a5fc12a7f772e1af2343ab2e2fb863d161f1d0da3326e636c52513c7ad

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      44ae12563d9f97ac1136baee629673df

      SHA1

      38790549497302c43bd3ff6c5225e8c7054829e2

      SHA256

      b09202e29f036511a075523ebcaecef0a43ceeb4f2c8029e5c7931a8e2e72beb

      SHA512

      07cf8ed791245485aae4ee05cd6b77eb0a36c8a839da6eae1554dc0487559c270241733ae8ed184c8d38a956452a2255169a3adeb40a0da1d9e2e487864a35e7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      a9a7f35c006bbf5da72f9cb250ffbddb

      SHA1

      458a8cedc38dac109631d9fccb3bf6d2c5c0e89e

      SHA256

      a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b

      SHA512

      d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      4b8c420147c02851f84d4c0ad8824fd4

      SHA1

      86ddf608028ae11ef4e98353afc4707ea28db2e3

      SHA256

      cabaf88ec96c537ca319c614b6cbe4d157ca142e2b98ac688557ab8a40158918

      SHA512

      328d0e31466c382f35d9961b8faa9fb566040ce4f5645e9bb4c79b086aed29c8b13085fa2c4b203a4319f97aabfe154da06118bf55d7a6fedca8ebab0337fce9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      6115924914d99b02793be952e93f1b2d

      SHA1

      1d3d4b64d1a9d6b634caf6c7e6acb2151f689f8d

      SHA256

      471a4b98b4c5ad7326cafe5520c19ec60bb2eb11424d34e3260b2732b4991b86

      SHA512

      b52003ce863e808fd4cfabc6abdf39d479f174eb04104879f068f8ad1c068f3fc40b94f438bae6376729fedfeefab5322d07d3b2eebd5501cafff18f53de1e86

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      2c11f7e1620428ee9619a7d1aa4d2c77

      SHA1

      a0b3ed693bc0cd904b7bba717c32ea410b03f322

      SHA256

      59d7e10daec06c6961143e22b3fa28749fadb32ea27aaa92d0cd1b4ec5f5f0a7

      SHA512

      d9fe5c8c468ec2c657a6cabdaaf1bb2b3bdec88b940ce6cdfffc5d8bb2aaf604c92070cf02fc4774732910424284704e164f4a2a79128d22bca48dd21b93ffea

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      f0a41fc9c1123bb127e55ecc66c8f052

      SHA1

      57152411758fa3df2623cc8a4df6d9fea73652f8

      SHA256

      a4fe2be2c449e841f6a12d32114672b097fc1058b6f2971a03521220a0228745

      SHA512

      e3e967adac361ddcf8240cf641f3e77eacfefc61dec725b8ae12e6a94f7d2ebd937fb9eb3cd068a0b3d4306e163dc87773b322bc2dd8b7df93b8103d0e99a900

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      21bfc799247c23be8c83723a21d31bb5

      SHA1

      53b308a69a2e57ce004951c978ea8e008e29ca56

      SHA256

      eab1228d3d5af575fdf617768fdd5371ca706e4f48a8f9f4583b58663fbc5be3

      SHA512

      19e9ed32a3c302ea7d4ff23df4f6dfc7ba72775e18ce47f284db22f9059309448d77fd123984adcef11e647403a01f3cf45bd463857af77ae882be885001e746

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1bkfkZqrQV.bat
      Filesize

      234B

      MD5

      deefb33bad7b268e6b746e5b2e079db1

      SHA1

      5b75dcb9c64f79317dc06d9306821cd2b4a77579

      SHA256

      a78778d700c9e5bafd95c668fedffa511c3c0cc2c40a33054e314b4aaa75dc35

      SHA512

      40b1faa3121e555a35594abaf4f532b9da956fd5ce71676ea9df5f8a0e97751e66f8ec989516a3d5617bf9e970fb00d2d9ad52b143415141c70ced0fa10f2a24

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yga5c405.zpy.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\System32\DMRServer\dllhost.exe
      Filesize

      1.1MB

      MD5

      9fef837bdea2dc9e761d7e177419aa4e

      SHA1

      528d8bfbcd30c1bb1a4d18798d6c1721607a8854

      SHA256

      d5f6ca5a453ca37f5b13c6babe8a28e400411adb2b49f348340ec30b8a342d2d

      SHA512

      73da2bde88483ea1c50b83b15012250e50f0e26cd5e7b6646249fc576041bdc9b002033775bab919f99e42b02effa98978302dc69a4baa6a3a21c2a27b1762bb

      Download Submit

    • C:\Windows\System32\DMRServer\dllhost.exe
      Filesize

      1.1MB

      MD5

      bf0f048bb9cc5214cd3cdd893ecb2b1b

      SHA1

      155bdee17eb12fc6feb4619df9a2c3958c98235f

      SHA256

      8437345e8c66b12eb1e4a9758c5bdbdb6bb0c1f914d1b04862d8839e01fefd2c

      SHA512

      1de97550178baabcd8b7c1313c1818b4f7e9caea2199e4ff1b9b518497a699e7189a9e9547eefa0163845da0113d98b74a33f72b51d17040ad7ff0263d174d49

      Download Submit

    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe
      Filesize

      1.1MB

      MD5

      393b0fe57b26b13c61ea167442b9e258

      SHA1

      dc790eb7ab27307c1cc92b5b7abfc376dcd1aced

      SHA256

      5cb9ac4999a133c136ad76625ba3e3686027346c6c3681abb9248cdf24f7d30e

      SHA512

      11aeebf8e2537b4f86f98bee48caec2ed712318e492308140f6a984b8ee6e09cb42cf08c5f0bd883738f7ea436cb35599b624b83094bc5f4d538f78ba001574b

      Download Submit

    • memory/2312-6-0x0000000002FF0000-0x0000000002FF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2312-124-0x00007FFE4E2E0000-0x00007FFE4EDA1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2312-7-0x0000000003020000-0x000000000302A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2312-0-0x00007FFE4E2E3000-0x00007FFE4E2E5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2312-5-0x0000000002FE0000-0x0000000002FEC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2312-3-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2312-4-0x0000000002FD0000-0x0000000002FDA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2312-2-0x00007FFE4E2E0000-0x00007FFE4EDA1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2312-1-0x0000000000E60000-0x0000000000F76000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4816-114-0x0000012FB5970000-0x0000012FB5992000-memory.dmp

      Filesize

      136KB

      Download