dcrat | 579b72fd2fcc3cce6facff0b2b01a0571d041792d3a0b9f3ae7c7155467067a2

Analysis

max time kernel
1050s
max time network
1049s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Element.exe
Size

1.4MB
MD5

adbe8f67d479b99bcd29824cf1f2a54c
SHA1

a6a61e93fc60ab956114653b388d96a83d5fad04
SHA256

579b72fd2fcc3cce6facff0b2b01a0571d041792d3a0b9f3ae7c7155467067a2
SHA512

a88607580eb3848a990388e74e00402b594c437e0f732e16136feaba812a5ea47424eedfa3357af5ef70353a251a241e81636c21ada2504dc41d5526797239e7
SSDEEP

24576:u2G/nvxW3WieCNKvNRRk656mvI/1mBnUjJB4j3ST6rlcAqpJ/jko:ubA3jNgT60qjJGCTAqxrN

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\a6967cde399746f71342f34c4a76b5\\winlogon.exe\", \"C:\\Users\\Admin\\Links\\dllhost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\a6967cde399746f71342f34c4a76b5\\winlogon.exe\""	ChainComsvc.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	3012	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	3012	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	3012	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3012	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	3012	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	3012	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x001d00000002b031-10.dat	dcrat
behavioral2/memory/1060-13-0x0000000000910000-0x0000000000A3A000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5992	powershell.exe
3344	powershell.exe
3708	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
1060	ChainComsvc.exe
5272	winlogon.exe
5512	winlogon.exe
4248	dllhost.exe
4004	dllhost.exe
4628	winlogon.exe
5104	winlogon.exe
5908	dllhost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\a6967cde399746f71342f34c4a76b5\\winlogon.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\a6967cde399746f71342f34c4a76b5\\winlogon.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Links\\dllhost.exe\""	ChainComsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Links\\dllhost.exe\""	ChainComsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Element.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	ChainComsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	Element.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2668	schtasks.exe
240	schtasks.exe
2208	schtasks.exe
4616	schtasks.exe
2608	schtasks.exe
3304	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1500	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1060	ChainComsvc.exe
1060	ChainComsvc.exe
1060	ChainComsvc.exe
1060	ChainComsvc.exe
1060	ChainComsvc.exe
1060	ChainComsvc.exe
1060	ChainComsvc.exe
1060	ChainComsvc.exe
1060	ChainComsvc.exe
1060	ChainComsvc.exe
1060	ChainComsvc.exe
1060	ChainComsvc.exe
3708	powershell.exe
3708	powershell.exe
5992	powershell.exe
5992	powershell.exe
3344	powershell.exe
3344	powershell.exe
5992	powershell.exe
3708	powershell.exe
3344	powershell.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe
5104	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5104	winlogon.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	ChainComsvc.exe
Token: SeDebugPrivilege	5272	winlogon.exe
Token: SeDebugPrivilege	5512	winlogon.exe
Token: SeDebugPrivilege	4248	dllhost.exe
Token: SeDebugPrivilege	4004	dllhost.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	5992	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	4628	winlogon.exe
Token: SeDebugPrivilege	5104	winlogon.exe
Token: SeDebugPrivilege	5908	dllhost.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1500	EXCEL.EXE
1500	EXCEL.EXE
1500	EXCEL.EXE
1500	EXCEL.EXE
1500	EXCEL.EXE
1500	EXCEL.EXE
1500	EXCEL.EXE
1500	EXCEL.EXE
1500	EXCEL.EXE
1500	EXCEL.EXE
1500	EXCEL.EXE
1500	EXCEL.EXE
5104	winlogon.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 5988	4028	Element.exe	81
PID 4028 wrote to memory of 5988	4028	Element.exe	81
PID 4028 wrote to memory of 5988	4028	Element.exe	81
PID 5988 wrote to memory of 2316	5988	WScript.exe	83
PID 5988 wrote to memory of 2316	5988	WScript.exe	83
PID 5988 wrote to memory of 2316	5988	WScript.exe	83
PID 2316 wrote to memory of 1060	2316	cmd.exe	85
PID 2316 wrote to memory of 1060	2316	cmd.exe	85
PID 3396 wrote to memory of 5272	3396	cmd.exe	96
PID 3396 wrote to memory of 5272	3396	cmd.exe	96
PID 2748 wrote to memory of 5512	2748	cmd.exe	102
PID 2748 wrote to memory of 5512	2748	cmd.exe	102
PID 3588 wrote to memory of 4248	3588	cmd.exe	103
PID 3588 wrote to memory of 4248	3588	cmd.exe	103
PID 2728 wrote to memory of 4004	2728	cmd.exe	104
PID 2728 wrote to memory of 4004	2728	cmd.exe	104
PID 1060 wrote to memory of 5992	1060	ChainComsvc.exe	105
PID 1060 wrote to memory of 5992	1060	ChainComsvc.exe	105
PID 1060 wrote to memory of 3708	1060	ChainComsvc.exe	106
PID 1060 wrote to memory of 3708	1060	ChainComsvc.exe	106
PID 1060 wrote to memory of 3344	1060	ChainComsvc.exe	107
PID 1060 wrote to memory of 3344	1060	ChainComsvc.exe	107
PID 1060 wrote to memory of 5604	1060	ChainComsvc.exe	111
PID 1060 wrote to memory of 5604	1060	ChainComsvc.exe	111
PID 5604 wrote to memory of 5372	5604	cmd.exe	113
PID 5604 wrote to memory of 5372	5604	cmd.exe	113
PID 5604 wrote to memory of 4628	5604	cmd.exe	114
PID 5604 wrote to memory of 4628	5604	cmd.exe	114
PID 5104 wrote to memory of 5312	5104	winlogon.exe	122
PID 5104 wrote to memory of 5312	5104	winlogon.exe	122
PID 5104 wrote to memory of 4392	5104	winlogon.exe	123
PID 5104 wrote to memory of 4392	5104	winlogon.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Element.exe
"C:\Users\Admin\AppData\Local\Temp\Element.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comSavesSessionbrokerNet\137ZAQtz7T0KfqnihMmUn1LNjeAvS.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\comSavesSessionbrokerNet\Dwq7lixZ2zOO3JgtN3iMKD.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\comSavesSessionbrokerNet\ChainComsvc.exe
      "C:\comSavesSessionbrokerNet\ChainComsvc.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comSavesSessionbrokerNet\ChainComsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\a6967cde399746f71342f34c4a76b5\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4zDtkd3Qf5.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5604
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5372
      - C:\a6967cde399746f71342f34c4a76b5\winlogon.exe
        
        "C:\a6967cde399746f71342f34c4a76b5\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\a6967cde399746f71342f34c4a76b5\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\a6967cde399746f71342f34c4a76b5\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\a6967cde399746f71342f34c4a76b5\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\a6967cde399746f71342f34c4a76b5\winlogon.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3396
- C:\a6967cde399746f71342f34c4a76b5\winlogon.exe
  C:\a6967cde399746f71342f34c4a76b5\winlogon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\a6967cde399746f71342f34c4a76b5\winlogon.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2748
- C:\a6967cde399746f71342f34c4a76b5\winlogon.exe
  C:\a6967cde399746f71342f34c4a76b5\winlogon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Links\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Links\dllhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\Links\dllhost.exe
  C:\Users\Admin\Links\dllhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Links\dllhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\Links\dllhost.exe
  C:\Users\Admin\Links\dllhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4248

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ApproveDebug.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:996

C:\a6967cde399746f71342f34c4a76b5\winlogon.exe
C:\a6967cde399746f71342f34c4a76b5\winlogon.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b75baf2-5484-4a3c-819f-7600833c4dea.vbs"
  2⤵
  PID:5312
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3cc560f-b5f5-4388-814b-c28d10eca4b3.vbs"
  2⤵
  PID:4392

C:\Users\Admin\Links\dllhost.exe
C:\Users\Admin\Links\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
119B

MD5
653a80b99a97f49f75810056c506c6fa

SHA1
0aab4d88583b1e2b99ca3e4ff78837b3d9e7421d

SHA256
aebc098fef76882bed89133396e5c360147a4ead9412af3487637eeb711bc3e3

SHA512
8d63fbd2d3a977785eb8bd05a27c4980a7d544ad08e1c54b9eed6d288c6f4afad5d487532bdcc0b4fd2d668c968b0f31ce6787b2e0f33fedbe8b2b895485b061

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b75baf2-5484-4a3c-819f-7600833c4dea.vbs

Filesize
722B

MD5
c3e884914f81b58dd0351a310a518dfa

SHA1
7e8f1f25e2409fbe72bd585d4722f5fccd1a9881

SHA256
f6262894caf988449a7257c67daacba1ebca2fd20c1255899b517bc65629b245

SHA512
cc430995911c79344a39678b5b2e3cec159a55cc60ad344a955387b23ca8e6f0acf78ddd3320d9427342a97584c58227f5e595f26435bfec41acf184cf48e2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4zDtkd3Qf5.bat

Filesize
211B

MD5
4be065dc182a8d88fb45711599ce9124

SHA1
5ed9e3bbd339acd8f944a84327f58c6e57c4e7a9

SHA256
956358299d966b23c7049679c128584632392fd1272f99db29f988c0306db164

SHA512
1d6a7c271ed6a87f50ab14d846e99c3b8aea7457434f12973893994d18e6ba66c06706900f1e14b75a52ee01059f76bbbad7287028bcfb209dc62da7a8eec039

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mzft4155.0pb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3cc560f-b5f5-4388-814b-c28d10eca4b3.vbs

Filesize
498B

MD5
6f3ebe7765309c7c1b05c13910299412

SHA1
c843c29082ea657550683a67d39fb7b734c6b3b6

SHA256
e7f0cf87ee1dbd0e85b7208065561b98817ecd34d72c726752d12ad8c543205d

SHA512
124636202e4c3dcadb9e43afbaf80e94ffc387c6ae5eec63b63a160274af370b8f9e438508b2f7b3d9752f36db43db2df468983ed35a98affab7f8a3a16a117c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
313B

MD5
be41b05a3e7c0528746772a4c3bc6162

SHA1
bc00571f374897afcc705822f590bf33d8e9b133

SHA256
187114a0eb35677eefba7551f4596eb015ffd75c4e6ba6b8ac3415df23ebfbba

SHA512
197f5d2e884b6a652670e85cdf45708dd484f021b62912de854a9e88e78450daec7738a800f8807b70ff2e2960cf1c317e82dcd56704287a7b48c0809bc7aaad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
85c97c622888e3524681d8b38074631c

SHA1
2981cd2a554b8c107569578761d07a584457ff9a

SHA256
c81ee20e6869ae5d666b88cc7153fb4e74ffed5d934535d4893c09029e746250

SHA512
3bd16568a30bda2430fd2c3524b3d9a6fc258a44a0d2dc2dab959a1b711bca7f64727bbe4ba163f8dcc0db649564bc39fc6c8b77fef1e2677306d3b4af2c63b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
e7cc737da781a06994c2ac99af084757

SHA1
e9c474257d5c304deb4de0907cd7d900067ab6b1

SHA256
f29f5ec5619622881cec276a5b1c94030a68a3b3ffe4925d03de23e0ca5cf0b1

SHA512
bec1a86a81b162c71791467c7fa9d1ee99ff1ee4241d232ae8e73d889ea419c4e4c486f9da2d7fe5c5644d3db3115ad10631e2f81ed065f85f24b9524095fff4

Download Submit
C:\comSavesSessionbrokerNet\137ZAQtz7T0KfqnihMmUn1LNjeAvS.vbe

Filesize
223B

MD5
8bda878ad816fcdfc732fbe16002def1

SHA1
9bc892a09cb9f9d945c16ba0afdc90aad639fbd6

SHA256
bdf68e1db80c1d790b7cb64580f80efd0f5a1beed23c3a3da2c4ebae2c601f76

SHA512
fba6b63daa0efcc5fe54065c7c3cf80e71bd838937dd1bf6a7861b33bbdb409fde9f9cf6dc5019726cbd64ba2396b16aedf596271b5e0e03cab9c559417e1cdd

Download Submit
C:\comSavesSessionbrokerNet\ChainComsvc.exe

Filesize
1.1MB

MD5
96fcb717c20c4e1629883d7bc366794f

SHA1
4f06e5ec4234031b67889afcba11cddaa7b2115d

SHA256
8635b498be98d750486f1a5e832bb862fe8c2248e983435546459bf101632221

SHA512
56037e13339873710c672c68f584aa1e6a2682248993a679b93ae07ad3e7f51d93c09e078d1e5c25a58fbca6869040fd2c363f8af43e95da5c9ed4cb00d092c6

Download Submit
C:\comSavesSessionbrokerNet\Dwq7lixZ2zOO3JgtN3iMKD.bat

Filesize
45B

MD5
1b8d4bcf85b42a18e60f7df6b5473318

SHA1
523c9e522f785f220dbf69f9c14f81bc8b221c3c

SHA256
587df711b165a596ca89bb178776223a1200d8a349a50dc06ec7a20d0483d16c

SHA512
735141589a81eadd8c16ba08f2befcc3b029d19f01e9ed701e85ab2876bcb2182833b96683795473a094e2e6c953337ef40accec685fd71e178d55aabefe3662

Download Submit
memory/1060-16-0x000000001C280000-0x000000001C7A8000-memory.dmp

Filesize
5.2MB

Download
memory/1060-17-0x000000001B5F0000-0x000000001B5FC000-memory.dmp

Filesize
48KB

Download
memory/1060-19-0x000000001B610000-0x000000001B61C000-memory.dmp

Filesize
48KB

Download
memory/1060-18-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/1060-12-0x00007FFAF9613000-0x00007FFAF9615000-memory.dmp

Filesize
8KB

Download
memory/1060-13-0x0000000000910000-0x0000000000A3A000-memory.dmp

Filesize
1.2MB

Download
memory/1060-14-0x000000001B5B0000-0x000000001B5C0000-memory.dmp

Filesize
64KB

Download
memory/1060-15-0x000000001B5C0000-0x000000001B5D2000-memory.dmp

Filesize
72KB

Download
memory/1500-80-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

Filesize
64KB

Download
memory/1500-81-0x00007FFAD7EF0000-0x00007FFAD7F00000-memory.dmp

Filesize
64KB

Download
memory/1500-82-0x00007FFAD7EF0000-0x00007FFAD7F00000-memory.dmp

Filesize
64KB

Download
memory/1500-77-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

Filesize
64KB

Download
memory/1500-78-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

Filesize
64KB

Download
memory/1500-79-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

Filesize
64KB

Download
memory/1500-76-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

Filesize
64KB

Download
memory/5992-44-0x0000027682DC0000-0x0000027682DE2000-memory.dmp

Filesize
136KB

Download