dcrat | 1723094c0826db0bdeb23310afd13d750d2083d23af16e5f9c04b813a4b97dc1

Analysis

max time kernel
147s
max time network
155s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
16/04/2025, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

niha-main/OmNom.exe
Size

1.3MB
MD5

ffc7873930c72a5ea0107f4d5de5945b
SHA1

ac8f5bf70a2043afa0cc753efca759bb4835415a
SHA256

bc7f287e569ce65f3f4e04417ea1eca7eab499dd51b017ce83cf0974f922144b
SHA512

d7af1f3c74c01559b05bec2266ad1988ed6540a501fd324f6aa89bd290e4d3c696e40df6be8ef3a1adbedf110a9f49c4a16ca35e9e9c0b639f3f0b94095f9a50
SSDEEP

12288:++p1WbXkuEEaXMtEb4Rg68EiwKI5wzuuGhP/Sknk7HtcJEdqm2sJtPDjM5KOLXoL:+mtuaMtS+8g19qNZ6cEKHG50Tw6t

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\staticfile.exe\""	OmNom.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	1508	schtasks.exe	107
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	1508	schtasks.exe	107
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1508	schtasks.exe	107

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/3212-1-0x0000000000030000-0x000000000017A000-memory.dmp	family_dcrat_v2
behavioral1/files/0x0013000000016c41-182.dat	family_dcrat_v2

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5676	powershell.exe
5932	powershell.exe
4752	powershell.exe
5492	powershell.exe
1156	powershell.exe
2488	powershell.exe
3904	powershell.exe
4032	powershell.exe
1104	powershell.exe
1876	powershell.exe
5280	powershell.exe
4932	powershell.exe
2832	powershell.exe
1680	powershell.exe
4504	powershell.exe
1960	powershell.exe
244	powershell.exe
5216	powershell.exe
3364	powershell.exe
2308	powershell.exe
2960	powershell.exe
464	powershell.exe
704	powershell.exe
5164	powershell.exe
4604	powershell.exe
4368	powershell.exe
5240	powershell.exe
1916	powershell.exe
5220	powershell.exe
5696	powershell.exe
5544	powershell.exe
464	powershell.exe
1892	powershell.exe
3444	powershell.exe
3404	powershell.exe
3944	powershell.exe
5032	powershell.exe
4288	powershell.exe
2940	powershell.exe
1076	powershell.exe
1480	powershell.exe
5564	powershell.exe
5776	powershell.exe
5052	powershell.exe
1588	powershell.exe
5524	powershell.exe
5656	powershell.exe
3900	powershell.exe
3112	powershell.exe
4176	powershell.exe
2492	powershell.exe
1688	powershell.exe
5076	powershell.exe
5100	powershell.exe
5056	powershell.exe
4208	powershell.exe
1052	powershell.exe
2564	powershell.exe
5452	powershell.exe
540	powershell.exe
4744	powershell.exe
5864	powershell.exe
5456	powershell.exe
6024	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OmNom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	staticfile.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	staticfile.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	staticfile.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	staticfile.exe

Executes dropped EXE 7 IoCs

pid	Process
4596	staticfile.exe
4600	staticfile.exe
5672	staticfile.exe
4904	staticfile.exe
3540	staticfile.exe
4716	staticfile.exe
5296	staticfile.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\staticfile = "\"C:\\Users\\Admin\\AppData\\Local\\staticfile.exe\""	OmNom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\staticfile = "\"C:\\Users\\Admin\\AppData\\Local\\staticfile.exe\""	OmNom.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC77822388A3FD4ED78660BB5E3920F7.TMP	csc.exe
File created	\??\c:\Windows\System32\3gwg4g.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC2A86E4A293104C7CAFF7E78B9498F9A3.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1080	PING.EXE
560	PING.EXE
4696	PING.EXE

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OmNom.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	staticfile.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
560	PING.EXE
4696	PING.EXE
1080	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4140	schtasks.exe
1084	schtasks.exe
2816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe
3212	OmNom.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	OmNom.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	5696	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	5216	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	5864	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeIncreaseQuotaPrivilege	4208	powershell.exe
Token: SeSecurityPrivilege	4208	powershell.exe
Token: SeTakeOwnershipPrivilege	4208	powershell.exe
Token: SeLoadDriverPrivilege	4208	powershell.exe
Token: SeSystemProfilePrivilege	4208	powershell.exe
Token: SeSystemtimePrivilege	4208	powershell.exe
Token: SeProfSingleProcessPrivilege	4208	powershell.exe
Token: SeIncBasePriorityPrivilege	4208	powershell.exe
Token: SeCreatePagefilePrivilege	4208	powershell.exe
Token: SeBackupPrivilege	4208	powershell.exe
Token: SeRestorePrivilege	4208	powershell.exe
Token: SeShutdownPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeSystemEnvironmentPrivilege	4208	powershell.exe
Token: SeRemoteShutdownPrivilege	4208	powershell.exe
Token: SeUndockPrivilege	4208	powershell.exe
Token: SeManageVolumePrivilege	4208	powershell.exe
Token: 33	4208	powershell.exe
Token: 34	4208	powershell.exe
Token: 35	4208	powershell.exe
Token: 36	4208	powershell.exe
Token: SeIncreaseQuotaPrivilege	5864	powershell.exe
Token: SeSecurityPrivilege	5864	powershell.exe
Token: SeTakeOwnershipPrivilege	5864	powershell.exe
Token: SeLoadDriverPrivilege	5864	powershell.exe
Token: SeSystemProfilePrivilege	5864	powershell.exe
Token: SeSystemtimePrivilege	5864	powershell.exe
Token: SeProfSingleProcessPrivilege	5864	powershell.exe
Token: SeIncBasePriorityPrivilege	5864	powershell.exe
Token: SeCreatePagefilePrivilege	5864	powershell.exe
Token: SeBackupPrivilege	5864	powershell.exe
Token: SeRestorePrivilege	5864	powershell.exe
Token: SeShutdownPrivilege	5864	powershell.exe
Token: SeDebugPrivilege	5864	powershell.exe
Token: SeSystemEnvironmentPrivilege	5864	powershell.exe
Token: SeRemoteShutdownPrivilege	5864	powershell.exe
Token: SeUndockPrivilege	5864	powershell.exe
Token: SeManageVolumePrivilege	5864	powershell.exe
Token: 33	5864	powershell.exe
Token: 34	5864	powershell.exe
Token: 35	5864	powershell.exe
Token: 36	5864	powershell.exe
Token: SeIncreaseQuotaPrivilege	3900	powershell.exe
Token: SeSecurityPrivilege	3900	powershell.exe
Token: SeTakeOwnershipPrivilege	3900	powershell.exe
Token: SeLoadDriverPrivilege	3900	powershell.exe
Token: SeSystemProfilePrivilege	3900	powershell.exe
Token: SeSystemtimePrivilege	3900	powershell.exe
Token: SeProfSingleProcessPrivilege	3900	powershell.exe
Token: SeIncBasePriorityPrivilege	3900	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 4208	3212	OmNom.exe	81
PID 3212 wrote to memory of 4208	3212	OmNom.exe	81
PID 3212 wrote to memory of 5696	3212	OmNom.exe	82
PID 3212 wrote to memory of 5696	3212	OmNom.exe	82
PID 3212 wrote to memory of 2564	3212	OmNom.exe	83
PID 3212 wrote to memory of 2564	3212	OmNom.exe	83
PID 3212 wrote to memory of 5216	3212	OmNom.exe	84
PID 3212 wrote to memory of 5216	3212	OmNom.exe	84
PID 3212 wrote to memory of 3900	3212	OmNom.exe	85
PID 3212 wrote to memory of 3900	3212	OmNom.exe	85
PID 3212 wrote to memory of 3904	3212	OmNom.exe	86
PID 3212 wrote to memory of 3904	3212	OmNom.exe	86
PID 3212 wrote to memory of 704	3212	OmNom.exe	87
PID 3212 wrote to memory of 704	3212	OmNom.exe	87
PID 3212 wrote to memory of 2488	3212	OmNom.exe	88
PID 3212 wrote to memory of 2488	3212	OmNom.exe	88
PID 3212 wrote to memory of 1420	3212	OmNom.exe	89
PID 3212 wrote to memory of 1420	3212	OmNom.exe	89
PID 3212 wrote to memory of 5056	3212	OmNom.exe	90
PID 3212 wrote to memory of 5056	3212	OmNom.exe	90
PID 3212 wrote to memory of 464	3212	OmNom.exe	91
PID 3212 wrote to memory of 464	3212	OmNom.exe	91
PID 3212 wrote to memory of 3404	3212	OmNom.exe	92
PID 3212 wrote to memory of 3404	3212	OmNom.exe	92
PID 3212 wrote to memory of 5864	3212	OmNom.exe	93
PID 3212 wrote to memory of 5864	3212	OmNom.exe	93
PID 3212 wrote to memory of 2992	3212	OmNom.exe	111
PID 3212 wrote to memory of 2992	3212	OmNom.exe	111
PID 2992 wrote to memory of 936	2992	csc.exe	113
PID 2992 wrote to memory of 936	2992	csc.exe	113
PID 3212 wrote to memory of 5492	3212	OmNom.exe	114
PID 3212 wrote to memory of 5492	3212	OmNom.exe	114
PID 5492 wrote to memory of 1000	5492	csc.exe	117
PID 5492 wrote to memory of 1000	5492	csc.exe	117
PID 3212 wrote to memory of 3516	3212	OmNom.exe	122
PID 3212 wrote to memory of 3516	3212	OmNom.exe	122
PID 1996 wrote to memory of 4596	1996	cmd.exe	124
PID 1996 wrote to memory of 4596	1996	cmd.exe	124
PID 2620 wrote to memory of 4600	2620	cmd.exe	125
PID 2620 wrote to memory of 4600	2620	cmd.exe	125
PID 3516 wrote to memory of 2944	3516	cmd.exe	126
PID 3516 wrote to memory of 2944	3516	cmd.exe	126
PID 3516 wrote to memory of 3356	3516	cmd.exe	127
PID 3516 wrote to memory of 3356	3516	cmd.exe	127
PID 4596 wrote to memory of 4176	4596	staticfile.exe	128
PID 4596 wrote to memory of 4176	4596	staticfile.exe	128
PID 4596 wrote to memory of 1104	4596	staticfile.exe	129
PID 4596 wrote to memory of 1104	4596	staticfile.exe	129
PID 4596 wrote to memory of 1568	4596	staticfile.exe	130
PID 4596 wrote to memory of 1568	4596	staticfile.exe	130
PID 4596 wrote to memory of 5032	4596	staticfile.exe	131
PID 4596 wrote to memory of 5032	4596	staticfile.exe	131
PID 4596 wrote to memory of 6136	4596	staticfile.exe	132
PID 4596 wrote to memory of 6136	4596	staticfile.exe	132
PID 4596 wrote to memory of 1588	4596	staticfile.exe	133
PID 4596 wrote to memory of 1588	4596	staticfile.exe	133
PID 4596 wrote to memory of 3944	4596	staticfile.exe	134
PID 4596 wrote to memory of 3944	4596	staticfile.exe	134
PID 4596 wrote to memory of 5676	4596	staticfile.exe	135
PID 4596 wrote to memory of 5676	4596	staticfile.exe	135
PID 4596 wrote to memory of 3364	4596	staticfile.exe	136
PID 4596 wrote to memory of 3364	4596	staticfile.exe	136
PID 4596 wrote to memory of 3112	4596	staticfile.exe	137
PID 4596 wrote to memory of 3112	4596	staticfile.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\niha-main\OmNom.exe
"C:\Users\Admin\AppData\Local\Temp\niha-main\OmNom.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/b16b2accc1da7e68e24c/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/cd67042925be50831d7420880235/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5pmorput\5pmorput.cmdline"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F15.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC2A86E4A293104C7CAFF7E78B9498F9A3.TMP"
    3⤵
    PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fw0pkzlc\fw0pkzlc.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5492
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES758E.tmp" "c:\Windows\System32\CSC77822388A3FD4ED78660BB5E3920F7.TMP"
    3⤵
    PID:1000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8Pny0URhF.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2944
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3356
- - C:\Users\Admin\AppData\Local\staticfile.exe
    "C:\Users\Admin\AppData\Local\staticfile.exe"
    3⤵
    - Executes dropped EXE
    PID:5672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "staticfiles" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "staticfile" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "staticfiles" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\staticfile.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\staticfile.exe
  C:\Users\Admin\AppData\Local\staticfile.exe
  2⤵
  - Executes dropped EXE
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\staticfile.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\staticfile.exe
  C:\Users\Admin\AppData\Local\staticfile.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/b16b2accc1da7e68e24c/'
    3⤵
    PID:1568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/cd67042925be50831d7420880235/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    PID:6136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    PID:3260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5452
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EWktresicd.bat"
    3⤵
    PID:3040
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5696
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1080
  - - C:\Users\Admin\AppData\Local\staticfile.exe
      "C:\Users\Admin\AppData\Local\staticfile.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      PID:4904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/b16b2accc1da7e68e24c/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/cd67042925be50831d7420880235/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2940
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WHqdBEPCKu.bat"
        5⤵
        
        PID:4992
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5432
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:560
      - C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/b16b2accc1da7e68e24c/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/cd67042925be50831d7420880235/'
        7⤵
        
        PID:5896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        
        PID:5664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EWktresicd.bat"
        7⤵
        
        PID:3760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        9⤵
        
        PID:2708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/b16b2accc1da7e68e24c/'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/cd67042925be50831d7420880235/'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        9⤵
        
        PID:2500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        9⤵
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fa12eP5s1A.bat"
        9⤵
        
        PID:1648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        10⤵
        Executes dropped EXE
        
        PID:5296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/b16b2accc1da7e68e24c/'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/cd67042925be50831d7420880235/'
        11⤵
        
        PID:732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        11⤵
        
        PID:5272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        11⤵
        
        PID:5400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        11⤵
        
        PID:2812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1156

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\staticfile.exe.log

Filesize
1KB

MD5
b08c36ce99a5ed11891ef6fc6d8647e9

SHA1
db95af417857221948eb1882e60f98ab2914bf1d

SHA256
cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

SHA512
07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7776cf95a44e18529aa5636469bbf807

SHA1
49e129bbb13bf7c313338e28dbe7e326874f0f94

SHA256
a1a115cb6182386ad8b5fc2900162732ae8f1366ada64e3e506d289f3beef7d2

SHA512
08a373b68dab36586bfb2318d534d9ab32949b260a04e7e50ea23645e719007597796bfaf2911e52c6dced1dd9f1522f7b0bf980fbd96f291ee0ea3f60f7b022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
717c2e8c23ffef48b4c3003feddc671c

SHA1
55fc120fb036c8606b19ee4bbb091ae6e057ead7

SHA256
656a782a3bd2d374cb30c288129469a929e485d276172fc95cfe9baa1d4ee780

SHA512
27c86c0e9660b0b7fd81f518f1cbf4a2d8bfce44a74705277adfb107965385f20c473e848f5343773bc5fdba983ffb62472d1ac63469d1cf486b852ad382a780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5940588a94c61b121268601a5d11eaf3

SHA1
91ed43120d102ea7cdebaad0aecd7396e5ff46f9

SHA256
532c7d141471b5e7e83291318425edce07a687d6f7617a486690c58a45f203c9

SHA512
9a932d43c002945a719d785c20edfd029edd1c44167e482e0ef51af0120c1ff3693273cd229c96547adeca42968dc8eb8ffaaf12e0e305e3746a62185d7f19fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ad41063701999dfcb87560699ca04f3

SHA1
be82f7cf30c6b4f4e22e9c453e1c4d18c30e2ef8

SHA256
ea52065c8620f9639317b96cd475c692583b0ec11c86aab4c76660f25bb7cb0c

SHA512
16fdb11015fc9771c6380cc0c6b69c930d8c869ca307d9c1219173aa79ebad3e87a75c42e8e07c82db4a73603fe68a8a39cc2bfc2768307953145ae925a8c47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f667b0a9fa65f577a763bd13bf5cae43

SHA1
cbf647317eb4c3239983d29b0cfb57dada3d04ce

SHA256
e9421b05a92473caee4dc115ba035bdea496f02a69781397e090e55d0ae10548

SHA512
aae023c4bb41223c5046b46ec903693d3a6191e5fce7ee185152aa90351feccc56737952ec66875c5b0b3584fb0f4e1dc0eac960e6da1bdfe7af1018d15737a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
220dda74b806a7d922bb05238f0aaf33

SHA1
6a0044e413f44d7920afb00c42dfd3924508bf04

SHA256
adb3bba239e93247dacd3fe0363f92abe73644dde42f297e5010537ba5a4ec97

SHA512
aee55155e912097004617bd41d4617668f8af98adf9d587d8a48375da2445226b4ac103774ee4d1483e8f2d2caef88551560b7105c9abe4d32486ad8e8e971ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36b81fd79fcf10ae24b16070e0dd1d42

SHA1
eaf4a6e56bcb1f00581489a96f6b2ba776ec9f76

SHA256
d1b9ab85c49bd3026bc129b2fc2a1d10272dcf674b568506ec25db661a3bb562

SHA512
ac6b232e3cffdded2222ac683c20987e39344e4cce0bac5e63b02748f48a7c5a4a458896b8294d8d4bfba11dab37a0dc5e4e94f34ad1e0f583ec90e671b5ff07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b57620dfdd26d2e8de02fd56f58b2ea6

SHA1
8fe8eeabe9049aec09a794ecd2a8eb53105f7517

SHA256
215db45a1aec03bad19a591b0616d408881881076b22d334f8e0b243d53d07c3

SHA512
63d1b2c47490d9281fd0f226b36ba52d0f18abfff47f1d799dea4c5fc89cbe6ddeec76779f3d9ddc2d3cf2026712a0d09dd547fb5778b9edade957880f3c707f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3d531ec91d9462fa1b55f1649b45d2d5

SHA1
96f7fc2c3c8a4c5e0d5ca72420ea771930875362

SHA256
d322f5c93985b2e2915932d6dc4d30761aefdf3a27a6517501c0577949626331

SHA512
e7bed21c7ec6aa2515dcc36a8ff778dc62504788c6625ca1ed0294f39d3ea5085993003a586df23bec6caf92feecb398b2091bdf775011f97645af173aa05726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d43286376be03f389a87e06d44f8b2d1

SHA1
1c6c4318420d3c5081e1dc54d634214d16c96394

SHA256
9726928a7fc276d504cf1a10f4018dcf741c44ed574e0031086469a43dacc26f

SHA512
3aa884d082de7dfa3d812d53f2d9c8ad13501a227a6e7c57aa33b3ca2139f2c96431e5b79b973c0d958ca2aee50f6d3372451902d218734d296fa30de1da4527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
259f92ca4969e252e3941605fc695b76

SHA1
25e5ccb6820e76e6d43051c1bbc5852974f3a909

SHA256
c9566654c22d290e28d0ab79da84712f58139bbf94340a9242eff1bb4ee952c0

SHA512
307a6a2a4941a94c02acb038cf1e8ec8882e664d748f0301c42d00d273f5ff77ab3a9b055f16c2a5b87291ea34e83344eb42984156bdcb1e6e050ba1061f1636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
84e2b1a62be89871cce6c4bed411fc09

SHA1
0d405bf09597b5b9b931a322206e427ccc1f5910

SHA256
9e48f9a928db9a06b153ce0660fd691471dc4daef8850ca38d2942aa0c3ea7b3

SHA512
fc349b9d1614924c4b2a92a21e2a9f24f62502a8c19ffac80f38fdacf67ee02eabd66614ca461e9cbf42c82a3f6dfa4e510dfee8629949893bb4eefc4b4b58c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9bc72a98fe319ff3aeae8e868bc83ddd

SHA1
99b734b944418e2c0c00589811c403b7ad2175c8

SHA256
59d52aa277a2aaf519863613fce98afff4d52b74d8613855ac417e650d5b2aef

SHA512
5309cf854a7bab72c621c11406e8b46f35cd1a37cadf9dd9dc09447f8f825d75bb18a0902485203c9de87a4069d9f811b0475dd2509ceabd407bb850f6efd6cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
18871db99ca09cff1d1dedc533dcbb06

SHA1
5368763f8228598d0bf90b05aa9ecd4bbbb2e1e7

SHA256
b2d90be4c4fc05d5b3cb9f39131762537daf4ce7881bc011edf427ee86b2437d

SHA512
3ce8806021e5cf2aded9d1dcc3c0d0d44e6e9958db18defcc5176dc9cb532deb0152887eb13462424cd20c60519e7bb10039d54493f1ce6fd34b9e9e19fe090a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5b1e55c330b364825307889149a31b0

SHA1
323a0d9523bf7ae0be7e54baf5c44a001d58d50a

SHA256
998b50fc44404bf8d9ef3039c7242ab31c8394065058ac8aa2e905dedee017ca

SHA512
0a342d0894cec633bf3a40b9fca00fcb215630ce4cd3d015a39bbf370b1d6401bb4b63ef7e46220d1c8b87d8b35209ed428bb7bb005908970cdca1e9e736ec3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
efa581a6293c592c8cb84635849da766

SHA1
cede7e78932106e530cb93bca79ccb9778c8d1a8

SHA256
6bb39bc8aa2f9fa1c9dfbc7955e83e41f7a64de32eadcdbd57f439b85281a316

SHA512
bd6877f89fc3fef0f69c6f0c268ae4aad05bd5735f513a81e3f44efb8052e5b03f040394f510902e0fa5d8698c7e1f974891480e9c95c5d314ab89417e196404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
860b6a25e4b29f37d34502a3a1a41ab9

SHA1
bd6a3df843c83d1654ad99f749ea53fd3c0498b7

SHA256
e4e6c182d7f03de2859fd8f1dca9bdafc129aff10aea0fdab2838987366f1a7c

SHA512
5582b8b44ae8c258731185f2a18d21d5796c6d9830b4d508a6504a0fc0a21914650a87876276fc3fe301bf1fb238b57d7d8e1134f93c124883ba54c779786548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
278efaf2ba6d2d044b66a6d82dc99610

SHA1
8c217c30a4d68a66e6d77079968df4f0bed57e51

SHA256
1472b306e403e28afcdea24aae1cf46848bfb05753f3cfe772cbf1f6a61893cd

SHA512
6656b189bc2236ca55bd7a21430121ed9adf859ba05e2ce7e6080552dd4467a8aa788afd5beb49e4428251f97acb87bcd186f048558c0d46f8d255bff8122122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
22847394bf244de6b56b88928941166b

SHA1
807dbc419ce9b2932285950e66315ca212c69245

SHA256
8226958c4d1f2816ef5607519228000c34266f704a8a27b0e55817740ec62041

SHA512
60cb03bba9d8ef6be6b0d15446a70bacc5d0ff269da265eed20efa13086d4924bd5787a64b291c3618e8669c5fb5fbc256aa499ea47a35dd7fbdec623c216fe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
99ad7e51529817a1586ddcfb0147954a

SHA1
bc718dcdf0da3f75638b7d8ca9c587ae827766f4

SHA256
bc2981b07063924a67a595154d12a77f4fd38889fb9f3af6203a032dda3cf6c1

SHA512
652da861bdacadf02c2fda42fce6bb4d2bb09ced5f8e15c6edc642935732cbdcce52974c504ae9624221bdb7c3c30659727a40a10db51cafaa2b33b4de33f7db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9ef884b965afd93aa9b3823006dac842

SHA1
8c551f413548dd31b5f3e6ce332225dd46bb928c

SHA256
53756309ddd2db869127b30a7722b35d2c38fb41772f408a1b07918f80922017

SHA512
962875563bd72821c035bac44c7cb434628aafa16c4bf9f96d53e79065ff29304b4b6937c2bc08f1274001f9c75f8917967c51f22e992ccc01731be27d04aa3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e15402eb4f2c8652c189cdac1ffa86b7

SHA1
23535728e99fcae89075a21afb96aa8493228a09

SHA256
4b766863d516c946cbf90f5463516196506142023abb1717f6c0d5a44f25359e

SHA512
ee5b0856d0bc79fc6f3b20e12efa4af8994033085560444d0307004f244bf470bcfc2b90af1823b572de80be546e64a9506a3cc8eeae4bb2948edca2693d0d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf3855d7e37ce89b5fae36d46e30bbf5

SHA1
09ac553f973ff0d046ddf714adaeb1639b897fc7

SHA256
900575cad0cc3c1c1dc9a17a97f9f56a2c0b200e332985ba413a421d295088ef

SHA512
071fea435e6f37d0459166004cab6d071b39b072e9f7d8b883cbd07322eac0eb6c1fd364543d98d15642d29b03618385ee30e81580d9f513c6bb2ab7e6ddf1d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7376b700f02f6a95da86a04f76ee8990

SHA1
ac7da7c73065a4e7adc6230926be1137e1670fba

SHA256
8a444d17856bc18408c2ba87bcdb6863a3a6479e537e44d71c2be051ecfc7f1a

SHA512
ec71afcccf78ec47b7f079b2e6f229109115780314b6d077bbeb852ecccdcd25aff8fc8dd543768ce55f5c9d17b62835f5e42853e849680cdc8c31ed71647bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
db2e6a4c4d77ca160045c10d1cba949c

SHA1
6b11997bafeb289cc0afbf0a426bfe031b1e17c7

SHA256
c7a3cf1d821079416de69ad7e472acbb2f6f2d3333d4faec7a6b41ff9e30cefa

SHA512
1d4e737d1c58d51c051fde03223596fae6f587650937c1f4fa42c90afb4a3082910c745fbeb6516bc2c30fd1020a0bc3fe2e2feb93fafe7cb691ac5b32192cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cbee854ee70ddcdab9b08c5e74e93124

SHA1
1ab84ab5b5d8d173cb4773f1ddbb0d777d9df1bc

SHA256
a9e6b71a3eb79f30b790b4fc248697d036a226bf3c89e9de183533fc32129f0e

SHA512
2d726c57dbfe45a5e1e8e62381dde8c052e1b7960be59ab5e246fe590ce2c3eee4c6093487392a132923ac9fbd2236445eab79e9f29a053f2e996227c98d2fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
241e90840321862217be2170d19f9de9

SHA1
e6023018ddd858a3dfd5d0495cf47e69ac595422

SHA256
8145b738e3e89f391d3fac25bebe6a79462f2806e3624d5b09165ca069d3b5ee

SHA512
1a838afc2cc6eae6d7df1a27f5a30953062d0beee86d8fdda713d836d83815c48a33e4506557d306c9718e5a877a3b857f38ae428980cb99df40e322e062ccb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eaa5dafac36d1a7d51de16e3e8d8a267

SHA1
3caada82786e5883562854ad694dffec7ae3eb91

SHA256
47c463b0086e2385ffa08c2b5a5a13e85c38750e5ec2a18a1ce4f28ee5214b9d

SHA512
97d9131cac11c646a3d6c2eb5e30f5e14bb96562add153e7810285b26080355942d4a84ef5fbfa39ca57b026b263ae48c2a440acde4b23d5bcedc081475953d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb5fda19488225d3f4d0af2fd272f988

SHA1
3b2f340e0176fc203e7a26d87e525b461862296c

SHA256
92916d4583892c94f11a5821ad3d1323f894b1e52e485dcef5a58662d21c796b

SHA512
8fe3b44c0739fb1449e6117c8efb799475a222863341a4ef7a10d7373b85ae8f7fa7c8c2604aedd686f02c15bc84f6715a586e43f06d93442b8abc858c4f47a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ca51d54f944a5e266e820f5ad3d0f6b

SHA1
5bd199a9cf05922ec6083ebf1e377e4115bbe09f

SHA256
b6daf20ff079b608c28eb5bab6f1c89c94af7cc2e597ba378eaded6134b2b6ee

SHA512
25ce072d95c8a9f57dda0d63af15ddef5c1f43fb954d108cef137b60debaf46b8b0bcd74a297266910e64e6746959b7e775153d8031393d0b554e4a75b06c491

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWktresicd.bat

Filesize
171B

MD5
ee5a3622a113bca14000f22aa2fc2140

SHA1
7909d1c95c88b6a3a17dd7a96638fe9558c92791

SHA256
d50909bd8de724c9449c2d5e3ba91f6b212be9c933a355d1eaf65aef84dfa2fe

SHA512
a625c2479cc51246f55911370194e159422229ffa8d114e75654dfd08874f64415f8f9ec0df7fb9f15b8c58b0f0f9a01e9f76ef82ce268970a9c6b733e8d9153

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6F15.tmp

Filesize
1KB

MD5
f6f81eaaa808776d757fdef0c54f2f52

SHA1
14bdfd9ba17929a5edd005944a57ae5fb2a2fed8

SHA256
74c8bf98f943349c03941055777631fa4e7d77edc18ab6962ecb360d075f66cf

SHA512
8f56792bad222b45b5abca4a7cfd71aabc68a5a444203839158ef5a4b4496b371fa6042e84298789daad5a692c45f7c6b34a9df2f0b3380eccbe4fe4f91ad5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES758E.tmp

Filesize
1KB

MD5
ce36734c847988f5ae01103996401e20

SHA1
2bcabb7d49b1f40bc13274bdc0e45fc89a6de002

SHA256
ea4c2e5eb3e8436ac61e193a511ab81009e2017a2f62245ca4f66ff077bd84bb

SHA512
a829cbe18b01e8a4bb4568e695bebe27f8dfef4a176118bf7ad3dc204a454fa8001117d18f46bcb6cf612fe68e79d86eb8bc4806212d6f30f82719af6cf6a3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WHqdBEPCKu.bat

Filesize
171B

MD5
6e5111cc5c2e1c7feebea6ffb4333c68

SHA1
a528c4c217176c5124d56709334153b09dfeb513

SHA256
b197183984513e54f785077d48a186b147aab81e4aa01854cd7cec360646f94f

SHA512
24a86b68eb3d59bb15986eea233cdf6e2d3c6a37dc5eec99882998140825263c32c3b19e0b3ed24e455b255175b2bf9e04652bbca027a7097d04837d4dba878f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rtizcbsh.43c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa12eP5s1A.bat

Filesize
219B

MD5
34373881f023044908d51cc62b7dae06

SHA1
b1c906b798de25e6ae64cba12d8dc69d8a1228a8

SHA256
0410267bd9d002f3e44f1b9a8acc2f0633d02c12ae978ea85753cdb0ce4a2eb1

SHA512
f566109ed32a9b727801ccdf5c6c0ee9ef60f741af6ede49b43179f5fd44b175a60c6c9319dcb1462cdfe38b743bd9689e5708ddc9382946ffdb3b3e8766b235

Download Submit
C:\Users\Admin\AppData\Local\Temp\p8Pny0URhF.bat

Filesize
219B

MD5
47502e39578f01647ecfbf8c3c70e39a

SHA1
5aff4a3ef353b9345c5a336d84e73013f0177665

SHA256
9a1bfdedda9a49029b67aa0b0f9e6af8b059236044708609387df8fee2c517f5

SHA512
eefba13f236a76ea6939e716f6c49fe382c4efbb49e7af56b094ab8caf0dbc3fb9cedd34d751a89b4cc793989414e7c33d839924291d6d5205b8f6179c230508

Download Submit
C:\Users\Admin\AppData\Local\staticfile.exe

Filesize
1.3MB

MD5
ffc7873930c72a5ea0107f4d5de5945b

SHA1
ac8f5bf70a2043afa0cc753efca759bb4835415a

SHA256
bc7f287e569ce65f3f4e04417ea1eca7eab499dd51b017ce83cf0974f922144b

SHA512
d7af1f3c74c01559b05bec2266ad1988ed6540a501fd324f6aa89bd290e4d3c696e40df6be8ef3a1adbedf110a9f49c4a16ca35e9e9c0b639f3f0b94095f9a50

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC2A86E4A293104C7CAFF7E78B9498F9A3.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5pmorput\5pmorput.0.cs

Filesize
405B

MD5
1740d3056387b34a4ef1d070fcafdb34

SHA1
57233eb03e84f0b9ed0260797e51c45da748a850

SHA256
20c660bc83911b7bc773fff5ef5c606cebf1c3654a8f920d327b4dc20cc6f002

SHA512
b978b1cc76166f959e8e81459ed9800dd78b3d0aa69ab10b0fa279e257314b77c4d258e1c559329122364c88e9c96c728c3f399123e15ed0dffa97e40d1e3166

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5pmorput\5pmorput.cmdline

Filesize
265B

MD5
b05026895bc2ee685352c3102625b127

SHA1
8d2beb6d338c80f2baa7da0fc0905e363b0038be

SHA256
cc81862853de7505b569b236313ff9250bd2905d9190554ef0d475c4c34a4b85

SHA512
52b06d68532c620388d10ae7fc778c4fc39a6d05af5b61410ff0204aea0760f238075e527b67e470c9ff7cf5a74c5e2cfd72cabcb107bc8556c619a6d9b4f061

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fw0pkzlc\fw0pkzlc.0.cs

Filesize
375B

MD5
ba4b36ac672558381f595ae2b44c4112

SHA1
ab6bffa754d67589ecb0abde1581ae58ce3c35fd

SHA256
e7ee24e4b3385646306d18b25024d40686b5269a3ae9c671c27fa5d15b44faf5

SHA512
a7cc355679c420451b00463a7f78cee8f5b1f88dd9acd2ef57142049d60344109b25f3d639a177642a34bbf615209905167452ac930e767e8d65604dc9ea6b8d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fw0pkzlc\fw0pkzlc.cmdline

Filesize
235B

MD5
6409cd0d62c96fd86a2bdff6ea503294

SHA1
655d7386e0c31de0a910e691c493f12190d33221

SHA256
0a3de1721bf2559c502425782e17f4f4eb7697af7c6fe4c1d435d2239df501de

SHA512
ac8a73116eece19d44e90a6fa74ff79fa118ffa2fa6c2cc53cca6e1ba50aca0d0bd365737cc99267c15617692dcda0ed9e3667dec64b761c2f9a3ba094563bb2

Download Submit
\??\c:\Windows\System32\CSC77822388A3FD4ED78660BB5E3920F7.TMP

Filesize
1KB

MD5
647753e4c24c8cf8aa8424b6f449e7b9

SHA1
37f6a6359f4a5d6dea133c9d34fb5c493783a41f

SHA256
cf62ae203c5fe77bcf215b2cf3b3d8158e30aa41d19a2f799ef885e171892f83

SHA512
74d71fa48e5d9c81f65943915aba900698ea87c714b688670fd62e1473bd68088b86c4afc2720956ce86f08e356e65ad0323baec69998c18379eb0eb298717e8

Download Submit
memory/2564-40-0x0000018272260000-0x0000018272282000-memory.dmp

Filesize
136KB

Download
memory/3212-7-0x0000000002220000-0x000000000223C000-memory.dmp

Filesize
112KB

Download
memory/3212-181-0x00007FFAE2830000-0x00007FFAE32F2000-memory.dmp

Filesize
10.8MB

Download
memory/3212-2-0x00007FFAE2830000-0x00007FFAE32F2000-memory.dmp

Filesize
10.8MB

Download
memory/3212-0-0x00007FFAE2833000-0x00007FFAE2835000-memory.dmp

Filesize
8KB

Download
memory/3212-1-0x0000000000030000-0x000000000017A000-memory.dmp

Filesize
1.3MB

Download
memory/3212-19-0x0000000002230000-0x000000000223E000-memory.dmp

Filesize
56KB

Download
memory/3212-21-0x000000001AFC0000-0x000000001B00E000-memory.dmp

Filesize
312KB

Download
memory/3212-24-0x0000000002260000-0x000000000226C000-memory.dmp

Filesize
48KB

Download
memory/3212-22-0x00007FFAE2830000-0x00007FFAE32F2000-memory.dmp

Filesize
10.8MB

Download
memory/3212-26-0x0000000002270000-0x000000000227C000-memory.dmp

Filesize
48KB

Download
memory/3212-5-0x00007FFAE2830000-0x00007FFAE32F2000-memory.dmp

Filesize
10.8MB

Download
memory/3212-4-0x0000000000A30000-0x0000000000A3E000-memory.dmp

Filesize
56KB

Download
memory/3212-29-0x00007FFAE2830000-0x00007FFAE32F2000-memory.dmp

Filesize
10.8MB

Download
memory/3212-17-0x0000000002220000-0x000000000222E000-memory.dmp

Filesize
56KB

Download
memory/3212-8-0x00007FFAE2830000-0x00007FFAE32F2000-memory.dmp

Filesize
10.8MB

Download
memory/3212-9-0x0000000000A40000-0x0000000000A5C000-memory.dmp

Filesize
112KB

Download
memory/3212-10-0x000000001AF20000-0x000000001AF70000-memory.dmp

Filesize
320KB

Download
memory/3212-12-0x0000000002240000-0x0000000002258000-memory.dmp

Filesize
96KB

Download
memory/3212-14-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/3212-15-0x00007FFAE2830000-0x00007FFAE32F2000-memory.dmp

Filesize
10.8MB

Download
memory/3212-30-0x00007FFAE2830000-0x00007FFAE32F2000-memory.dmp

Filesize
10.8MB

Download
memory/3212-27-0x00007FFAE2830000-0x00007FFAE32F2000-memory.dmp

Filesize
10.8MB

Download