dcrat | 1723094c0826db0bdeb23310afd13d750d2083d23af16e5f9c04b813a4b97dc1

Analysis

max time kernel
118s
max time network
153s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
16/04/2025, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

niha-main/vosemOO.exe
Size

770KB
MD5

36529d8bbb2cc18300c2f8f0385f00b9
SHA1

17e6b115f54dfcafa175acd0efaa75a2657f21d7
SHA256

52c518defe564223c8d6f945b89226afddc338a1d46012ad14f62938983bb047
SHA512

f32272f19ae1c648903d04c7e154a07256a122cea3141a1519adc29deeb92bd64391bbcb0993f3a6fc0ace51ae278c6495e6c29c0fb46aeab1ef4a9a0d05ba93
SSDEEP

12288:RgTngo+MeFDxYGQWrqqEqJJMA+2pW3Ari4VVyZC0+1ctHNt8KF4AXD3Z6:RgTnv0xnq70JMA+23iE0n336

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\staticfile.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\niha-main\\vosemOO.exe\""	vosemOO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\staticfile.exe\""	vosemOO.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	1588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	1588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	1588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5172	1588	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	1588	schtasks.exe	82

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral27/memory/5996-1-0x0000000000940000-0x0000000000A06000-memory.dmp	family_dcrat_v2
behavioral27/files/0x00090000000280b7-48.dat	family_dcrat_v2

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3616	powershell.exe
720	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	vosemOO.exe

Executes dropped EXE 2 IoCs

pid	Process
4632	staticfile.exe
5020	staticfile.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\staticfile = "\"C:\\Users\\Admin\\AppData\\Local\\staticfile.exe\""	vosemOO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\staticfile = "\"C:\\Users\\Admin\\AppData\\Local\\staticfile.exe\""	vosemOO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vosemOO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\niha-main\\vosemOO.exe\""	vosemOO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vosemOO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\niha-main\\vosemOO.exe\""	vosemOO.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCFB5C2BABFB8C4702A1516E17E06B9AEE.TMP	csc.exe
File created	\??\c:\Windows\System32\kejtd_.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCC2B0D3B534DB47BEA1DC6A37B7DE2BF5.TMP	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3864	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	vosemOO.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3864	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4636	schtasks.exe
1960	schtasks.exe
3348	schtasks.exe
4856	schtasks.exe
5172	schtasks.exe
4104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
5996	vosemOO.exe
720	powershell.exe
3616	powershell.exe
720	powershell.exe
3616	powershell.exe
1840	vosemOO.exe
1840	vosemOO.exe
1840	vosemOO.exe
1840	vosemOO.exe
1840	vosemOO.exe
1840	vosemOO.exe
1840	vosemOO.exe
1840	vosemOO.exe
1840	vosemOO.exe
1840	vosemOO.exe
1840	vosemOO.exe
1840	vosemOO.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	5996	vosemOO.exe
Token: SeDebugPrivilege	4632	staticfile.exe
Token: SeDebugPrivilege	5020	staticfile.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	2940	vosemOO.exe
Token: SeDebugPrivilege	3828	vosemOO.exe
Token: SeIncreaseQuotaPrivilege	3616	powershell.exe
Token: SeSecurityPrivilege	3616	powershell.exe
Token: SeTakeOwnershipPrivilege	3616	powershell.exe
Token: SeLoadDriverPrivilege	3616	powershell.exe
Token: SeSystemProfilePrivilege	3616	powershell.exe
Token: SeSystemtimePrivilege	3616	powershell.exe
Token: SeProfSingleProcessPrivilege	3616	powershell.exe
Token: SeIncBasePriorityPrivilege	3616	powershell.exe
Token: SeCreatePagefilePrivilege	3616	powershell.exe
Token: SeBackupPrivilege	3616	powershell.exe
Token: SeRestorePrivilege	3616	powershell.exe
Token: SeShutdownPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeSystemEnvironmentPrivilege	3616	powershell.exe
Token: SeRemoteShutdownPrivilege	3616	powershell.exe
Token: SeUndockPrivilege	3616	powershell.exe
Token: SeManageVolumePrivilege	3616	powershell.exe
Token: 33	3616	powershell.exe
Token: 34	3616	powershell.exe
Token: 35	3616	powershell.exe
Token: 36	3616	powershell.exe
Token: SeIncreaseQuotaPrivilege	720	powershell.exe
Token: SeSecurityPrivilege	720	powershell.exe
Token: SeTakeOwnershipPrivilege	720	powershell.exe
Token: SeLoadDriverPrivilege	720	powershell.exe
Token: SeSystemProfilePrivilege	720	powershell.exe
Token: SeSystemtimePrivilege	720	powershell.exe
Token: SeProfSingleProcessPrivilege	720	powershell.exe
Token: SeIncBasePriorityPrivilege	720	powershell.exe
Token: SeCreatePagefilePrivilege	720	powershell.exe
Token: SeBackupPrivilege	720	powershell.exe
Token: SeRestorePrivilege	720	powershell.exe
Token: SeShutdownPrivilege	720	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeSystemEnvironmentPrivilege	720	powershell.exe
Token: SeRemoteShutdownPrivilege	720	powershell.exe
Token: SeUndockPrivilege	720	powershell.exe
Token: SeManageVolumePrivilege	720	powershell.exe
Token: 33	720	powershell.exe
Token: 34	720	powershell.exe
Token: 35	720	powershell.exe
Token: 36	720	powershell.exe
Token: SeDebugPrivilege	1840	vosemOO.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 5996 wrote to memory of 5784	5996	vosemOO.exe	86
PID 5996 wrote to memory of 5784	5996	vosemOO.exe	86
PID 5784 wrote to memory of 648	5784	csc.exe	88
PID 5784 wrote to memory of 648	5784	csc.exe	88
PID 5996 wrote to memory of 5540	5996	vosemOO.exe	89
PID 5996 wrote to memory of 5540	5996	vosemOO.exe	89
PID 5540 wrote to memory of 4700	5540	csc.exe	91
PID 5540 wrote to memory of 4700	5540	csc.exe	91
PID 4724 wrote to memory of 4632	4724	cmd.exe	98
PID 4724 wrote to memory of 4632	4724	cmd.exe	98
PID 4656 wrote to memory of 5020	4656	cmd.exe	99
PID 4656 wrote to memory of 5020	4656	cmd.exe	99
PID 5996 wrote to memory of 720	5996	vosemOO.exe	101
PID 5996 wrote to memory of 720	5996	vosemOO.exe	101
PID 5996 wrote to memory of 3616	5996	vosemOO.exe	102
PID 5996 wrote to memory of 3616	5996	vosemOO.exe	102
PID 5996 wrote to memory of 5088	5996	vosemOO.exe	109
PID 5996 wrote to memory of 5088	5996	vosemOO.exe	109
PID 4332 wrote to memory of 2940	4332	cmd.exe	111
PID 4332 wrote to memory of 2940	4332	cmd.exe	111
PID 4996 wrote to memory of 3828	4996	cmd.exe	112
PID 4996 wrote to memory of 3828	4996	cmd.exe	112
PID 5088 wrote to memory of 3716	5088	cmd.exe	113
PID 5088 wrote to memory of 3716	5088	cmd.exe	113
PID 5088 wrote to memory of 3864	5088	cmd.exe	114
PID 5088 wrote to memory of 3864	5088	cmd.exe	114
PID 5088 wrote to memory of 1840	5088	cmd.exe	121
PID 5088 wrote to memory of 1840	5088	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\niha-main\vosemOO.exe
"C:\Users\Admin\AppData\Local\Temp\niha-main\vosemOO.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xfry4ywh\xfry4ywh.cmdline"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:5784
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FF2.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCC2B0D3B534DB47BEA1DC6A37B7DE2BF5.TMP"
    3⤵
    PID:648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jnevjngn\jnevjngn.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5540
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6225.tmp" "c:\Windows\System32\CSCFB5C2BABFB8C4702A1516E17E06B9AEE.TMP"
    3⤵
    PID:4700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\staticfile.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\niha-main\vosemOO.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IKbm9S5YSc.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3716
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3864
- - C:\Users\Admin\AppData\Local\Temp\niha-main\vosemOO.exe
    "C:\Users\Admin\AppData\Local\Temp\niha-main\vosemOO.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "staticfiles" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "staticfile" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "staticfiles" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\staticfile.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\staticfile.exe
  C:\Users\Admin\AppData\Local\staticfile.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\staticfile.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\staticfile.exe
  C:\Users\Admin\AppData\Local\staticfile.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "vosemOOv" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\niha-main\vosemOO.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "vosemOO" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\niha-main\vosemOO.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "vosemOOv" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\niha-main\vosemOO.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\niha-main\vosemOO.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\niha-main\vosemOO.exe
  C:\Users\Admin\AppData\Local\Temp\niha-main\vosemOO.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\niha-main\vosemOO.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\niha-main\vosemOO.exe
  C:\Users\Admin\AppData\Local\Temp\niha-main\vosemOO.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\staticfile.exe.log

Filesize
1KB

MD5
b08c36ce99a5ed11891ef6fc6d8647e9

SHA1
db95af417857221948eb1882e60f98ab2914bf1d

SHA256
cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

SHA512
07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\vosemOO.exe.log

Filesize
1KB

MD5
d679911a86abad4718daaeec483e3eac

SHA1
3df48db0926cbe529a3d5e96e92c35bf13131e40

SHA256
7d0b0cbefa3f7863f23841dcff8070c9172343523556fcac9483396713e618bb

SHA512
72e5442e54cf956d4dd9a81e1d03ee058e8c4b7ca3dd7bfe9f4f828c06a98b82289110f945efdaae69db86aec65ac4729ddd7e3ac4ec725511f91df2bb9d65cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b673d8907e3a8ca58abcc1958dd0ce66

SHA1
2000387933faa4c33029c00bf3d793775db2264f

SHA256
66e464a52be7e6c412919eb5136fb8d5578446e9c1bbb382bf8c33340943ddaa

SHA512
d4dc3299a56dfe4e69f73ddb53f589eaf5d1ff1b390d2394db4bf34846395608b83e3f75a56de12a69a3c4a02954650eec08fc030365d20991b193a5b001294b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IKbm9S5YSc.bat

Filesize
183B

MD5
1f32bca821e7bdcca8e19be326653355

SHA1
90af0159c253d3c3f0c2ce01e138401553e6b4fb

SHA256
0a5cb266a1688476797080d71ebc88de34e1009c564369387e53e114ddf5c63e

SHA512
561e5fd4c7971a9a59fec48eded4c75361cbb19f8e52ee7549f818271d67200adde3a6a292d5059fcfa8ba7797e7553d1f46713828b2e6ce9159da3df5876c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5FF2.tmp

Filesize
1KB

MD5
aa9a6a5abe463553a83e9cdcde04560e

SHA1
f14d4c9e2a1d655dfb2763198a5f1c46cc60ed47

SHA256
beb4238de96754021b9dc2f0182d52370a8ed62241b8e46ef041d38ddf83a95d

SHA512
234d4154696d20aae677e50a44cc0787060b5cc67161b26ae43155ffb0457019f95e7143bea8a37ed590452a5f4f6219e6865949153ed71ec41055b6a6f254dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6225.tmp

Filesize
1KB

MD5
8df8f62c796e6f29a509657fd1628ba1

SHA1
e4bec4571a77e5f024365cb5c977968461ddd79d

SHA256
52c26e5b24b6f43fc80894acc85ddb4f3593527d770164165db402b0b00ae1c2

SHA512
5ee85607bb35f6a8fb061076227afba352aae984608835a67dad9b0334cd8cfeb0c89bd36170743240ccab4d6686cbac4ae5d7f224ba4137ef28c86cccfd1ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w4asdwnt.qsv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\staticfile.exe

Filesize
770KB

MD5
36529d8bbb2cc18300c2f8f0385f00b9

SHA1
17e6b115f54dfcafa175acd0efaa75a2657f21d7

SHA256
52c518defe564223c8d6f945b89226afddc338a1d46012ad14f62938983bb047

SHA512
f32272f19ae1c648903d04c7e154a07256a122cea3141a1519adc29deeb92bd64391bbcb0993f3a6fc0ace51ae278c6495e6c29c0fb46aeab1ef4a9a0d05ba93

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCC2B0D3B534DB47BEA1DC6A37B7DE2BF5.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jnevjngn\jnevjngn.0.cs

Filesize
375B

MD5
63eb91020af08106b3711c77825ac527

SHA1
2a821d3e1263932d33571cd95ea4121fb4fbe03f

SHA256
f3bfa8d745e33246be61a8723321e5b43e8c5fcabef9a2b20a63d6a3424590da

SHA512
78c3c30730f8561bc279a6b9c782ce60a930a487cd0f4bf8cbe55b10319563ef40c6797bc8e9fd79db4b8348bbf1170c4dd085d2780e179fd2504dc619051a1a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jnevjngn\jnevjngn.cmdline

Filesize
235B

MD5
f739a18358a1c107c14be274f75c4d1d

SHA1
9ace56756d71faeda9fd955d3570e5595bdd20e6

SHA256
aeaf128f192e48b9abfebe2237eb7c72eeebce6129be999896da5454a4d150f8

SHA512
3c98e0ae29d7df7e2afc224c9846b27c0091e1991b74be10252a86659ef61b695ae11482cd3835c851b94642a9a1833e4c6322767444f24a863c17bff998bcc3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xfry4ywh\xfry4ywh.0.cs

Filesize
405B

MD5
1740d3056387b34a4ef1d070fcafdb34

SHA1
57233eb03e84f0b9ed0260797e51c45da748a850

SHA256
20c660bc83911b7bc773fff5ef5c606cebf1c3654a8f920d327b4dc20cc6f002

SHA512
b978b1cc76166f959e8e81459ed9800dd78b3d0aa69ab10b0fa279e257314b77c4d258e1c559329122364c88e9c96c728c3f399123e15ed0dffa97e40d1e3166

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xfry4ywh\xfry4ywh.cmdline

Filesize
265B

MD5
42e2be1bc2ace328aaab0371e508bc9a

SHA1
1a5385ebdc20f4b15fe3551bd1fd0767602a6021

SHA256
b0e3e2bf21517f7c2e7c20ca2676c24e8dde74befc65cdd29e8e3dc8ca67973c

SHA512
d98c1ca472509bb2a9ea9d136a733091abbacfaeed3eda4c73572e0741850ce4b51ac72dfc000c465647b10396795c1e6f7d4fa0a77f4fa28c368edbc6fd776f

Download Submit
\??\c:\Windows\System32\CSCFB5C2BABFB8C4702A1516E17E06B9AEE.TMP

Filesize
1KB

MD5
16bcebf17bce26a78732a4d5e3d2664c

SHA1
fd5c8c1ae57f7024392ad956d827f0d64fd03e15

SHA256
6b04da0d72f2a35a2ac4aed196a876c5b8dedeb39c00a4c915ec8b958b1f0ea4

SHA512
ff931cfffae42f660e6d017755be95897848e3ab96678f340eedadbec13e0de6b9ba77ed2f29ff0ef64ad639896bbf6d1c925593a9493e35d0c53fa7dc20fb20

Download Submit
memory/720-63-0x0000017584C00000-0x0000017584C22000-memory.dmp

Filesize
136KB

Download
memory/5996-14-0x00007FFC9E310000-0x00007FFC9EDD2000-memory.dmp

Filesize
10.8MB

Download
memory/5996-8-0x000000001B8C0000-0x000000001B910000-memory.dmp

Filesize
320KB

Download
memory/5996-0-0x00007FFC9E313000-0x00007FFC9E315000-memory.dmp

Filesize
8KB

Download
memory/5996-13-0x00007FFC9E310000-0x00007FFC9EDD2000-memory.dmp

Filesize
10.8MB

Download
memory/5996-18-0x00007FFC9E310000-0x00007FFC9EDD2000-memory.dmp

Filesize
10.8MB

Download
memory/5996-12-0x00000000012D0000-0x00000000012DC000-memory.dmp

Filesize
48KB

Download
memory/5996-10-0x000000001B5F0000-0x000000001B608000-memory.dmp

Filesize
96KB

Download
memory/5996-17-0x00007FFC9E310000-0x00007FFC9EDD2000-memory.dmp

Filesize
10.8MB

Download
memory/5996-54-0x00007FFC9E310000-0x00007FFC9EDD2000-memory.dmp

Filesize
10.8MB

Download
memory/5996-7-0x0000000002AB0000-0x0000000002ACC000-memory.dmp

Filesize
112KB

Download
memory/5996-19-0x00007FFC9E310000-0x00007FFC9EDD2000-memory.dmp

Filesize
10.8MB

Download
memory/5996-5-0x00007FFC9E310000-0x00007FFC9EDD2000-memory.dmp

Filesize
10.8MB

Download
memory/5996-4-0x00000000012B0000-0x00000000012BE000-memory.dmp

Filesize
56KB

Download
memory/5996-2-0x00007FFC9E310000-0x00007FFC9EDD2000-memory.dmp

Filesize
10.8MB

Download
memory/5996-1-0x0000000000940000-0x0000000000A06000-memory.dmp

Filesize
792KB

Download