Overview

overview

10

Static

static

3

CD0FDBF184...7D.exe

windows7-x64

10

CD0FDBF184...7D.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2024 05:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CD0FDBF184A188298A847D17AF361C7D.exe

  • Size

    2.2MB

  • MD5

    cd0fdbf184a188298a847d17af361c7d

  • SHA1

    d6394498b1dc80e93010b835940a463383bcf08a

  • SHA256

    741e00a1f7ef7e5fe69144adfb6023fe14d29ddcd1b9982a3ebcbced6748e8fc

  • SHA512

    08f5bcd179e16dc5bbc392bd70af00925e17e307de2c11b8f247b00f961f4d7861e6d52073ccac08bd48488f884c0b34154788062bfb799593c9546c6b173461

  • SSDEEP

    24576:2TbBv5rUyXVf7/weHc1lJq2tB/pw97SSwEWJSwDFrs7+6pa7gv6a9MrYetY5Q62w:IBJTqpji7SxFgz7XM7metv6s2N8WT

Score
10/10
dcratdiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CD0FDBF184A188298A847D17AF361C7D.exe
    "C:\Users\Admin\AppData\Local\Temp\CD0FDBF184A188298A847D17AF361C7D.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4384
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Hyperagentdll\LC7NSPPjwsbedY3MJ.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Hyperagentdll\BsaJdQYq8XACECtkLxbuW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3272
        • C:\Hyperagentdll\ComponentDhcp.exe
          "C:\Hyperagentdll/ComponentDhcp.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zltqvuvg\zltqvuvg.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8879.tmp" "c:\Windows\System32\CSC82CD20C890124CDBA4A7D6965B6521B0.TMP"
              6⤵
                PID:1564
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1084
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3088
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4916
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Hyperagentdll/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2408
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2924
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3280
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4384
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4316
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:964
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4796
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:536
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4448
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\wininit.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4156
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\unsecapp.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4280
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\RuntimeBroker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2428
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3872
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3768
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Hyperagentdll\ComponentDhcp.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3884
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JM9oNwsW85.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:764
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:6080
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:5728
                • C:\Program Files (x86)\Windows Sidebar\unsecapp.exe
                  "C:\Program Files (x86)\Windows Sidebar\unsecapp.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4936
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4776
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4864
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\unsecapp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1392
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3476
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4380
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2392
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1120
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:64
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3228
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1208
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4344
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ComponentDhcpC" /sc MINUTE /mo 11 /tr "'C:\Hyperagentdll\ComponentDhcp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ComponentDhcp" /sc ONLOGON /tr "'C:\Hyperagentdll\ComponentDhcp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1600
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ComponentDhcpC" /sc MINUTE /mo 5 /tr "'C:\Hyperagentdll\ComponentDhcp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1260

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Hyperagentdll\BsaJdQYq8XACECtkLxbuW.bat
        Filesize

        83B

        MD5

        ff4cfd867a098de6bb711fee46ab71f8

        SHA1

        0f9a4b8cbafd88088b32bef24ea4f21d8ddb8b5e

        SHA256

        978666a718f5416ab586100120a9ae873eec92589fe2ffdaa7fc16dd76c8a3e2

        SHA512

        f3b71b50fbab5f8ee6b99fe85890dd924df2475335ea13b75a401190cbb7a697abe88e49d1c63e79b5696145ed7139542e60a38713bd93e2400a15ac8ab1f4c4

        Download Submit

      • C:\Hyperagentdll\ComponentDhcp.exe
        Filesize

        1.9MB

        MD5

        38c14805a17436bc0118dfaa6547eec0

        SHA1

        77ee261fd0d14577058bd1114bfd4a34aa0990e6

        SHA256

        afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081

        SHA512

        bfec5fa0c4d45ebcc26bf18f3ccf0ea9b6bc6de62ce1ddfc012ef69f42c2bf45d90a3dc5f6537e62e6d0e30247eb0c2b5495249b01d0b158b6a73dd29e657754

        Download Submit

      • C:\Hyperagentdll\LC7NSPPjwsbedY3MJ.vbe
        Filesize

        212B

        MD5

        1d9cb1ea67761522a044d5a9d63c1d30

        SHA1

        39669d5dbd1acaf3fe109bcd9b8be67c554dcdc7

        SHA256

        221a01a4eb128921422b8a383388776740d3a7b014deaf6c312c3bb0a7143ef3

        SHA512

        5c68ab7b8ef9229e2f2fa93716f3aa30c88aeac1ff80f53c4be81a8b192a019b0d4ba6f7c729c4148e64a88875d5fb35ca4965dddea375f2010f392e9ec93780

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        d28a889fd956d5cb3accfbaf1143eb6f

        SHA1

        157ba54b365341f8ff06707d996b3635da8446f7

        SHA256

        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

        SHA512

        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3a6bad9528f8e23fb5c77fbd81fa28e8

        SHA1

        f127317c3bc6407f536c0f0600dcbcf1aabfba36

        SHA256

        986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

        SHA512

        846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        cadef9abd087803c630df65264a6c81c

        SHA1

        babbf3636c347c8727c35f3eef2ee643dbcc4bd2

        SHA256

        cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

        SHA512

        7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        5f0ddc7f3691c81ee14d17b419ba220d

        SHA1

        f0ef5fde8bab9d17c0b47137e014c91be888ee53

        SHA256

        a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

        SHA512

        2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e243a38635ff9a06c87c2a61a2200656

        SHA1

        ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

        SHA256

        af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

        SHA512

        4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\JM9oNwsW85.bat
        Filesize

        179B

        MD5

        bdedb3653833bef94c667cb495a4e7f0

        SHA1

        10aa01f29d25b7830bdac3635f70951861dba586

        SHA256

        eb89aa65f611d292b995d0eaa6df99f0b1838e985eff4cf0aad40a593c09b33a

        SHA512

        38d081f9b7f7f10e0e17366e11537972833443a6e805baf495a0d9ff480561a12f6927138842a87eebc5420b5d3d9a8b0b49b8a25accf93aca4e10138e165ac1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES8879.tmp
        Filesize

        1KB

        MD5

        b97d650635ae368d25b5bb333691a1d9

        SHA1

        276a3f38d7105557091db76bdd55fdd03b764dc4

        SHA256

        48c860f2c3ed7f4e311321c29538021033cbe5bbe22400f1354980ad8c03bde8

        SHA512

        29beaaf7b83512924e177500412ae39cf656327b65cb62d0724aa19c1e18538fd971709535fefdf56c123e5f0312122175d0cbd409421c770cc01ea8c285b6e5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4pnsrav4.fhl.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\zltqvuvg\zltqvuvg.0.cs
        Filesize

        369B

        MD5

        4d094b34c495f602aebfee77e5b21ddc

        SHA1

        313f8323cd19f807b3b43fd3d2ef0731027c1c6f

        SHA256

        a3dbdddfca7244c68eaa4dd0e1dce71e3e4921a3c3cc771bb4384f3b27c02811

        SHA512

        4362b1a00d3d574aac98a439c89f43ff749c6a75ce539bb3454edc57d23a27c5f77d7f5a7e19c69bb1dceaba2f941ed82742bba4f489c345d6087025216c99f3

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\zltqvuvg\zltqvuvg.cmdline
        Filesize

        235B

        MD5

        cbefc123c8cf10a13a54d81a483b79cb

        SHA1

        cbbab78144d552e2d277269767fd0c06d269e646

        SHA256

        40428c61c2cb368205cf2a1ac319ab7e590fd97f394cea056d6a7f2096e6bb13

        SHA512

        1e7d2f30269a532c86556c82474ec4897c13483753a5e944fb5f8aa2e72c438c906389def5e0b285fce51ecd2a5c7453858c6ee9b0707dc2a837602c1930e490

        Download Submit

      • \??\c:\Windows\System32\CSC82CD20C890124CDBA4A7D6965B6521B0.TMP
        Filesize

        1KB

        MD5

        be99f41194f5159cc131a1a4353a0e0a

        SHA1

        f24e3bf06e777b4de8d072166cff693e43f2295c

        SHA256

        564d9051e5639603c83562a9ff2c2e478cc7e13d54faf39f761297bac78603bf

        SHA512

        51d1a50772bb7d689193e6a9b2e363185cf5438103644b2b68cf13e08274c5d99407b99f8cdc856143d28669f5ee4ee316041a8e33df42f55bfd181aa3f3c0f5

        Download Submit

      • memory/2728-18-0x000000001BDC0000-0x000000001BE10000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2728-55-0x000000001C150000-0x000000001C1BB000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2728-24-0x0000000000E80000-0x0000000000E8E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2728-22-0x0000000000E70000-0x0000000000E7E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2728-20-0x000000001B140000-0x000000001B158000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2728-26-0x000000001B160000-0x000000001B16C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2728-17-0x000000001B120000-0x000000001B13C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2728-15-0x0000000000C50000-0x0000000000C5E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2728-13-0x0000000000300000-0x00000000004F2000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2728-12-0x00007FFC60263000-0x00007FFC60265000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4448-61-0x0000021EA9D20000-0x0000021EA9D42000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4936-267-0x000000001B490000-0x000000001B498000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4936-266-0x000000001BCD0000-0x000000001BD3B000-memory.dmp

        Filesize

        428KB

        Download