Overview

overview

10

Static

static

3

277b0b668d...d2.exe

windows7-x64

10

277b0b668d...d2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe

  • Size

    1.9MB

  • MD5

    967181542acac77f5b13f46542e84812

  • SHA1

    09fbf9cfb636459cc4d54308b5b1c91d32a29f22

  • SHA256

    277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2

  • SHA512

    323023582fcc14c30aca827db68bb91204a5e6dc894bb1228370a3c925bb28559778f09a0b3d4581d462921630cede3ac1cd4c864357ee5b4928698e5bbdf082

  • SSDEEP

    49152:LcC3djqo2xuELnaWpofrYR0nhJLVxIkpAUfKcwucQW1:LcC3djqo2PLaWyPrYkpsc6QW1

Score
10/10
dcratdiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
    "C:\Users\Admin\AppData\Local\Temp\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rxj4tipz\rxj4tipz.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCA9.tmp" "c:\Windows\System32\CSCE2D30A8155C6438F98677976701766C4.TMP"
        3⤵
          PID:2624
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2704
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4848
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2032
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1020
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4556
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3620
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:716
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3960
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2908
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3800
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4104
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\winlogon.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3260
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\RuntimeBroker.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1120
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\uk-UA\dllhost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4664
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\RuntimeBroker.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4008
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\System.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4224
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2076
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ajSPhmLtJr.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3196
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:6052
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5724
          • C:\Users\Admin\AppData\Local\Temp\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe
            "C:\Users\Admin\AppData\Local\Temp\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:6020
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3080
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4724
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4072
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1788
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\uk-UA\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\uk-UA\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3388
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\uk-UA\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1736
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4480
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1544
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:996
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4392
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d22" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3116
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d22" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3364

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2.exe.log
        Filesize

        1KB

        MD5

        af6acd95d59de87c04642509c30e81c1

        SHA1

        f9549ae93fdb0a5861a79a08f60aa81c4b32377b

        SHA256

        7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

        SHA512

        93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        750e4be22a6fdadd7778a388198a9ee3

        SHA1

        8feb2054d8a3767833dd972535df54f0c3ab6648

        SHA256

        26209c196c9c45202d27468ea707b2b46f375bb612d50271924a28f9210df6a1

        SHA512

        b0415087dfc32908b449b876b395a607698b0f7b72031916b6fe7c002e4b163ba318b7e85c8ce41f007429e666974c04967bc14345e3f4614e34d94f5c8ae804

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        62623d22bd9e037191765d5083ce16a3

        SHA1

        4a07da6872672f715a4780513d95ed8ddeefd259

        SHA256

        95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

        SHA512

        9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        59d97011e091004eaffb9816aa0b9abd

        SHA1

        1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

        SHA256

        18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

        SHA512

        d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        77d622bb1a5b250869a3238b9bc1402b

        SHA1

        d47f4003c2554b9dfc4c16f22460b331886b191b

        SHA256

        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

        SHA512

        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3a6bad9528f8e23fb5c77fbd81fa28e8

        SHA1

        f127317c3bc6407f536c0f0600dcbcf1aabfba36

        SHA256

        986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

        SHA512

        846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e243a38635ff9a06c87c2a61a2200656

        SHA1

        ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

        SHA256

        af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

        SHA512

        4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        bd5940f08d0be56e65e5f2aaf47c538e

        SHA1

        d7e31b87866e5e383ab5499da64aba50f03e8443

        SHA256

        2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

        SHA512

        c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESBCA9.tmp
        Filesize

        1KB

        MD5

        4330c3c09c8c8e078376ad9972687c4d

        SHA1

        aa5b7e164fae69be8a46c0509e445a2d5e5fdaba

        SHA256

        a79aecd8b88ffc70f7eb39d8847ad5f2f5dfa365ea9f0e49897f6daf3a8e6e69

        SHA512

        d9b53d296a8385714bc401087ac3ba0ceca0121abe117739b615a2b87d6ed5712c56cd46331e45f90d7188ba213b1ac0a4fc10aa3a18dfd9d2c83ced469fc09b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l4053kok.yvx.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ajSPhmLtJr.bat
        Filesize

        230B

        MD5

        dfce843ccb48bc28e0b17dbda59c51a9

        SHA1

        3c8370e9880ad267eab2f83d41b5aa86aba44e30

        SHA256

        f10a3d010eb61f17d98614e04d9c091be5acf43b2852d2836f733c4176249f34

        SHA512

        1a0ef475c33c02524c731771a0dd299eb1b4a7aa85c54866822beb96a9dae0a7477d3d37ae38f53dd27b752a0194f1ac7be33ddd7d12ec3b742facbe34788461

        Download Submit

      • C:\Windows\LiveKernelReports\winlogon.exe
        Filesize

        1.9MB

        MD5

        967181542acac77f5b13f46542e84812

        SHA1

        09fbf9cfb636459cc4d54308b5b1c91d32a29f22

        SHA256

        277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2

        SHA512

        323023582fcc14c30aca827db68bb91204a5e6dc894bb1228370a3c925bb28559778f09a0b3d4581d462921630cede3ac1cd4c864357ee5b4928698e5bbdf082

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\rxj4tipz\rxj4tipz.0.cs
        Filesize

        373B

        MD5

        168e5490a2d71ad954d344ce5c2a776f

        SHA1

        e53b0bbe36786e47bd233c111e1b1105d2d50062

        SHA256

        2a4c1416d63062f2feefd555d57b1ce6a2ef9c6c6eb5547ed82f4fe218d80b34

        SHA512

        a666a150e976f0b611cc6ee9bafa90df9e4823718d11d1df2f39d4f789c1466e49d24add1b6d15516365e1f33459e6e645598f650ccf506bce49b55cbbe38280

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\rxj4tipz\rxj4tipz.cmdline
        Filesize

        235B

        MD5

        92c89fc25fa8caa6a4bed328814eebd4

        SHA1

        1de4e66072a4f1daba282069595845e969624d72

        SHA256

        444e0d19b8aea05fa8a136f2bdee89e7503f9e595ea772754c0b969a06ddb31c

        SHA512

        841f7215192031b0e7ce69222a9b95c61950aba578d49165aad1761eca1122da0da856a1368b388b09258a0339afab266cc4c3a218ca673221c5a7391a4ead91

        Download Submit

      • \??\c:\Windows\System32\CSCE2D30A8155C6438F98677976701766C4.TMP
        Filesize

        1KB

        MD5

        1c519e4618f2b468d0f490d4a716da11

        SHA1

        1a693d0046e48fa813e4fa3bb94ccd20d43e3106

        SHA256

        4dbf16e3b3bb06c98eeaf27d0a25d9f34ee0ceac51e6365218ef7cd09edb3438

        SHA512

        99f293878a08b56db6ff2297f243f5f5b85864e6925a1d6af61a65369f7eb323ae1b75fe5f1465fac0b982ac9f49b9e0a295b5dac947da40f61991c4411233fd

        Download Submit

      • memory/1020-77-0x00000212DBE50000-0x00000212DBE72000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3416-53-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3416-14-0x0000000002E90000-0x0000000002E9C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3416-0-0x00007FFA89BB3000-0x00007FFA89BB5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3416-18-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3416-32-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3416-16-0x0000000002EA0000-0x0000000002EAE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3416-51-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3416-52-0x000000001C480000-0x000000001C521000-memory.dmp

        Filesize

        644KB

        Download

      • memory/3416-21-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3416-33-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3416-19-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3416-12-0x000000001B9C0000-0x000000001B9D8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3416-10-0x000000001BA10000-0x000000001BA60000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3416-9-0x000000001B9A0000-0x000000001B9BC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3416-7-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3416-6-0x0000000002E80000-0x0000000002E8E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3416-4-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3416-3-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3416-2-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3416-1-0x0000000000B80000-0x0000000000D6E000-memory.dmp

        Filesize

        1.9MB

        Download